silence-is-best/gist:25ae0929c277642e86ecf592598a3254

Created September 14, 2020 20:34

Star 4 You must be signed in to star a gist
Fork 1 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/silence-is-best/25ae0929c277642e86ecf592598a3254.js"></script>
Save silence-is-best/25ae0929c277642e86ecf592598a3254 to your computer and use it in GitHub Desktop.

Download ZIP

DCSync detection

Raw

gistfile1.txt

alert tcp any any -> [!<domaincontrollers to exclude here] [49152:65535] (msg:"Possible DCSync Detected"; flow:to_server,established; flags:PA; content:"|00 03 10 00 00 00|"; depth:8; content:"|03 00|"; distance:14; classtype:attempted-admin; sid:20166316;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment