16 lines
634 B
Text
16 lines
634 B
Text
|
rule hacktool_multi_ntlmrelayx
|
||
|
{
|
||
|
meta:
|
||
|
description = "https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/"
|
||
|
reference = "https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py"
|
||
|
author = "@mimeframe"
|
||
|
strings:
|
||
|
$a1 = "Started interactive SMB client shell via TCP" wide ascii
|
||
|
$a2 = "Service Installed.. CONNECT!" wide ascii
|
||
|
$a3 = "Done dumping SAM hashes for host:" wide ascii
|
||
|
$a4 = "DA already added. Refusing to add another" wide ascii
|
||
|
$a5 = "Domain info dumped into lootdir!" wide ascii
|
||
|
condition:
|
||
|
any of ($a*)
|
||
|
}
|