Rules
rulesptopen-windows.rules
13.47 KBModified 2024-10-17 11:57
1alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] Remote WMI Win32_Process create"; flow: established, to_server; content: "|05 00 00|"; depth: 3; content: "W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00 00 00|"; fast_pattern; content: "c|00|r|00|e|00|a|00|t|00|e|00|"; distance: 16; within: 12; nocase; flowbits: set, WMI.Win32_Process.Create; threshold: type limit, track by_src, count 1, seconds 10; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001999; rev: 3;)
2
3alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] Suspicious Remote WMI Win32_Process create"; flow: established, to_server; content: "__PARAMETERS|00 00|"; content: "http://"; distance: 0; pcre: "/__PARAMETERS\x00\x00[^\x00]+?(?:cmd|powershell)[^\x00]+?http:\/\//"; flowbits: isset, WMI.Win32_Process.Create; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002000; rev: 2;)
4
5alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt"; flow: established, to_server; content: "|05 00 0B|"; depth: 3; content: "|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance: 0; flowbits: set, RPC.Bind.DRSUAPI; flowbits: noalert; reference: url, rules.ptsecurity.com; reference: url, dcshadow.com; classtype: attempted-admin; sid: 10002557; rev: 3;)
6
7alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DsAddEntry from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|11 00|"; distance: 18; within: 2; flowbits: isset, RPC.Bind.DRSUAPI; flowbits: set, RPC.DsAddEntry; flowbits: noalert; reference: url, rules.ptsecurity.com; reference: url, dcshadow.com; classtype: attempted-admin; sid: 10009196; rev: 1;)
8
9alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|05 00|"; distance: 18; within: 2; flowbits: isset, RPC.DsAddEntry; reference: url, rules.ptsecurity.com; reference: url, dcshadow.com; classtype: attempted-admin; sid: 10002558; rev: 2;)
10
11alert tcp !$DC_SERVERS any -> any any (msg: "ATTACK AD [PTsecurity] DCShadow: Fake DC Creation"; flow: established, to_server; content: "|68 84 00|"; content: "CN="; distance: 5; within: 3; content: "CN=Servers,CN="; distance: 0; content: ",CN=Sites,CN=Configuration,DC="; distance: 0; content: "objectClass"; distance: 0; content: "server"; distance: 0; reference: url, rules.ptsecurity.com; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; sid: 10002559; rev: 3;)
12
13alert tcp-pkt any any -> any any (msg: "ATTACK AD [PTsecurity] IREMOTEWINSPOOL Bind"; flow: established, to_server; content: "|96 3F F0 76 FD CD FC 44 A2 2C 64 95 0A 00 12 09|"; flowbits: set, DCERPC.IREMOTEWINSPOOL.Bind; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006624; rev: 3;)
14
15alert tcp-pkt any any -> any any (msg: "ATTACK AD [PTsecurity] SPOOLSS Bind"; flow: established, to_server; content: "|78 56 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB|"; flowbits: set, DCERPC.SPOOLSS.Bind; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006626; rev: 3;)
16
17alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] PrintNightmare attempt (CVE-2021-1675)"; flow: established, to_server; content: "|05 00 00|"; depth: 119; content: "|00 00|"; distance: 15; within: 2; content: "|00 27 00|"; distance: 1; within: 3; flowbits: isset, DCERPC.IREMOTEWINSPOOL.Bind; threshold: type limit, track by_dst, count 1, seconds 60; reference: url, rules.ptsecurity.com; reference: url, github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210709; reference: cve, 2021-1675; classtype: attempted-admin; sid: 10006625; rev: 5;)
18
19alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] PrintNightmare attempt (CVE-2021-1675)"; flow: established, to_server; content: "|05 00 00|"; depth: 119; content: "|00 00|"; distance: 15; within: 2; content: "|00 59 00|"; distance: 1; within: 3; flowbits: isset, DCERPC.SPOOLSS.Bind; threshold: type limit, track by_dst, count 1, seconds 60; reference: url, rules.ptsecurity.com; reference: cve, 2021-1675; classtype: attempted-admin; sid: 10006627; rev: 5;)
20
21alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Possible SystemNightmare LPE"; flow: established; content: "|63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 77 00 69 00 6E 00 73 00 74 00 61 00 30 00 5C 00 64 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00|"; reference: url, rules.ptsecurity.com; reference: url, github.com/gentilkiwi/mimikatz/blob/master/mimispool/README.md; classtype: attempted-admin; sid: 10006770; rev: 2;)
22
23alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] HTTP-to-SMB NTLM Relay attack (SMBv1)"; flow: established, to_server; content: "|FF|SMB|73|"; content: "NTLMSSP|00 03 00 00 00|"; distance: 0; content: "|09 00|"; distance: 0; within: 600; content: "H|00|T|00|T|00|P|00 2F|"; distance: 2; within: 9; isdataat: 200, relative; reference: url, rules.ptsecurity.com; reference: url, byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html; classtype: attempted-admin; sid: 10005230; rev: 3;)
24
25alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] HTTP-to-SMB NTLM Relay attack (SMBv2)"; flow: established, to_server; content: "|FE|SMB"; content: "|01 00|"; distance: 8; within: 2; content: "NTLMSSP|00 03 00 00 00|"; distance: 0; content: "|09 00|"; distance: 0; within: 600; content: "H|00|T|00|T|00|P|00 2F|"; distance: 2; within: 9; isdataat: 200, relative; reference: url, rules.ptsecurity.com; reference: url, byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html; classtype: attempted-admin; sid: 10005231; rev: 3;)
26
27alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] SMB2 Create PSEXESVC.EXE"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance: 0; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001444; rev: 1;)
28
29alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] SPOOLSS DCERPC/SMB Bind"; flow: to_server, established, no_stream; content: "SMB"; offset: 5; depth: 3; content: "|05 00 0B|"; distance: 0; content: "|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab 01 00 00 00|"; distance: 29; flowbits: set, DCERPC.BIND.SPOOLSS; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-recon; sid: 10004152; rev: 1;)
30
31alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Possible MS-RPRN abuse (PrinterBug). Hash or Ticket theft"; flow: to_server, established, no_stream; content: "SMB"; offset: 5; depth: 3; content: "|05 00 00|"; distance: 0; byte_test: 1, &, 0x80, 0, relative; content: "|41 00|"; distance: 19; within: 2; content: "|00 01 00 00|"; distance: 36; within: 4; content: "|5C 00 5C 00|"; fast_pattern; distance: 0; flowbits: isset, DCERPC.BIND.SPOOLSS; xbits: set, CoercedAuth, track ip_dst, expire 10; reference: url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004153; rev: 5;)
32
33alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Possibly successful Coerce attack. Machine account NTLM Hash leak"; flow: established, to_server; content: "NTLMSSP|00 03 00 00 00|"; byte_jump: 4, 36, relative, little, post_offset -55; content: "|00 24 00|"; within: 3; xbits: isset, CoercedAuth, track ip_src; reference: url, github.com/p0dalirius/windows-coerced-authentication-methods; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006670; rev: 2;)
34
35alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool (CVE-2017-0144)"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s"; reference: cve, 2017-0144; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001254; rev: 5;)
36
37alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Flowbits for SMB NTTrans Request"; flow: established, to_server, no_stream; content: "|FF|SMB|A0|"; flowbits: set, SMB.NTTrans.Req; flowbits: unset, SMB.NTTrans2.Req; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001724; rev: 1;)
38
39alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Flowbits for SMB NTTrans2 Request"; flow: established, to_server, no_stream; content: "|FF|SMB|32|"; flowbits: set, SMB.NTTrans2.Req; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001725; rev: 1;)
40
41alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALBLUE Exploitation (CVE-2017-0144)"; flow: established, to_server, no_stream; content: "|FF|SMB|33|"; byte_test: 2, >, 61000, 42, relative, little; flowbits: isset, SMB.NTTrans.Req; flowbits: isnotset, SMB.NTTrans2.Req; reference: cve, 2017-0144; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001726; rev: 1;)
42
43alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION. Non-Fragmented NT Trans Request with command NT Rename (CVE-2017-0146)"; flow: established, to_server; content: "|FF|SMB|A0|"; offset: 4; depth: 5; byte_extract: 4, 35, NTTrans.TotalDataCount, relative, little; byte_test: 4, =, NTTrans.TotalDataCount, 16, relative, little; content: "|05 00|"; distance: 25; within: 2; isdataat: 300, relative; flowbits: set, EternalRomance.RaceCondition.Possible; flowbits: noalert; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001717; rev: 2;)
44
45alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] NT Trans Response"; flow: established, from_server; content: "|FF|SMB|A0|"; offset: 4; depth: 5; flowbits: isset, EternalRomance.RaceCondition.Possible; flowbits: unset, EternalRomance.RaceCondition.Possible; flowbits: noalert; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001718; rev: 1;)
46
47alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION Race Condition Exploit. NT Trans Secondary packet follows NT Trans Req (CVE-2017-0146)"; flow: established, no_stream, to_server; content: "|FF|SMB|A1|"; flowbits: isset, EternalRomance.RaceCondition.Possible; flowbits: set, EternalRomance.RaceCondition.Attempt; threshold: type both, track by_src, count 1, seconds 60; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001719; rev: 1;)
48
49alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION Successful kernel data leak (CVE-2017-0146)"; flow: established, from_server; content: "|FF|SMB|A0|"; content: "Frag"; within: 115; flowbits: isset, EternalRomance.RaceCondition.Attempt; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10001720; rev: 1;)
50
51alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALROMANCE exploitation (CVE-2017-0143)"; flow: established, to_server; content: "|FF|SMB|A1|"; content: "|FF|SMB|A0|"; distance: 0; content: "|05 00|"; distance: 64; within: 2; content: "|FF|SMB|25|"; distance: 13; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; threshold: type both, track by_src, count 1, seconds 60; reference: cve, 2017-0143; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001723; rev: 2;)