IOCs #987
Description
Found on internet some IOCs which seems implemented in some vendors.
Auth Spray,"100s of low-success NTLM auths across users to multiple hosts (e.g., nxc smb -u users.txt -p pass --gen-relay-list).",T1110.003,Correlate failed logons with SMB connects.
Relay Setup,"SMB relay attempts (e.g., Responder integration) with HTTP->SMB coercion.",T1557.001,Monitor for LLMNR/NBT-NS poisoning + auth to 445.
Dump Volume,"Sudden spike in large file transfers (>10MB) over SMB (e.g., NTDS.dit ~50MB).",T1003.002,Alert on SMB Write Request >5MB to admin shares.
Command Execution,Inline PowerShell or cmd.exe /c whoami /all over WinRM post-auth.,T1059.001,WinRM logs with base64-encoded payloads.
Hash Cracking,Outbound DNS to crack.asciichua.com (NetExec's integrated hasher).,T1552.001,UDP/53 queries for known wordlist domains.
Module Chaining,LDAP enum -> Kerberos TGT -> SMB dump sequence within 5min.,TA0008,SIEM correlation: LDAP + Kerberos + SMB events.
Evasion Attempts,SMB signing disabled requests or DoS-like pings (nxc smb --ping).,T1562.001,SMB flags with signing disabled on admin ports.
SMB Command,\\PIPE\\lsarpc or OpenSCManagerW,LSARPC bind for LSA secrets dump.,"smb.file_name contains ""lsarpc"""
NTLM Challenge,NTLMSSP signature with target name SMB_DOMAIN and challenge response using LMv2 hash.,Auth during secretsdump module.,ntlm and smb.cmd == 0x72 (Session Setup).
Kerberos Ticket,TGS-REQ with service principal cifs/DC and RC4 etype (23).,Lateral movement to shares for NTDS extraction.,kerberos.KRB_MESSAGE_TYPE == 12
WinRM Payload,"XML: <s:Envelope><s:Header><a:Action s:mustUnderstand=""1"">http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate</a:Action>","Enum for remote command exec (e.g., reg.exe save HKLM\SAM).","http contains ""wsman"" and http.request.method == ""POST"""
LDAP Filter,(sAMAccountName=*) or (userAccountControl:1.2.840.113556.1.4.803:=512),Disabled user enum prior to pass-the-hash.,"ldap.filter contains ""sAMAccountName"""
DCERPC Call,Opnum 0x0C (LsaOpenPolicy) or 0x23 (SamrQueryInformationDomain) in LSARPC/SAMR.,Policy open for cred retrieval.,dcerpc.opnum == 12
Impacket Fingerprint,User-Agent: Python-urllib/3.x or HTTP header Impacket in RPC over HTTP.,Fallback for proxied attacks.,"http.user_agent contains ""Python-urllib"""
Secretsdump Specific,Binary: 4d 53 50 49 00 2f 73 65 63 72 65 74 73 (MSI for SAM export).,Temp file creation over SMB.,"smb contains ""secrets"""
Port Scanning/Enumeration,"Rapid TCP connects to SMB (445), WinRM (5985/5986), Kerberos (88), LDAP (389/636), RDP (3389) from a single source IP.",Alert on >10 connects/sec to AD ports from non-DC hosts.
SMB Sessions,High-volume SMBv1/v2/v3 sessions with NTLM auth (not Kerberos) to domain controllers.,TCP/445 with SMB Negotiate Protocol Request containing dialect 0xFF534D42 (SMB2).
WinRM Execution,"HTTP/HTTPS POST to /wsman on 5985/5986 with WS-Management envelope for command execution (e.g., wmic or reg save for cred dumps).","TLS/5986 with User-Agent: ""Microsoft WinRM Client""."
Kerberos Pre-Auth,"AS-REQ floods for TGT requests with RC4-HMAC encryption (weak, often used in spraying).",UDP/88 with PA-PAC-REQUEST in Kerberos packet.
RPC over SMB,DCERPC binds to LSARPC (Pipe: \PIPE\lsarpc) or SAMR (Pipe: \PIPE\samr) for enumeration/dumping.,TCP/445 followed by SMB Trans2 Request for named pipes.
LDAP Queries,Unsigned LDAP binds with filters like (objectClass=user) for user enum before cred attacks.,TCP/389 with LDAP Bind Request (no SASL).
RDP Shadowing,"Unusual RDP connections (3389) post-SMB auth, often for mimikatz integration.",TCP/3389 with X.224 Connection Request from non-RDP client.
Maybe it might be helpfull in feature modifications, evasion updates