Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Mimikatz CVE-2020-1472 Zerologon snort suricata
alert tcp any any -> any ![139,445] (msg:"Possible Mimikatz Zerologon Attempt"; flow:established,to_server; content:"|00|"; offset:2; content:"|0f 00|"; distance:22; within:2; fast_pattern; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; within:90; reference:url,; classtype:attempted-admin; sid:20166330; rev:2; metadata:created_at 2020_09_19;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment