How to flag DRSUAPI_REPLICA_ADD signature ?
Hi,
I'm currently working on a way to identify and block DC Shadow attack with and IDS/IPS.
After some tests I'm able to execute DC Shadow attack and capture the traffic from the client to the Domain Controller. Now I'm trying to identify and extract a generic signature to identify the operation "DRSUAPI-REPLICA-ADD". https://ibb.co/hf7dAT
At the moment I'm just able to extract the full signature with data so it's just blocking DC Shadow attack with specific parameters.
Do you have any ideas to identify the "DRSUAPI-REPLICA-ADD" itself without associated datas?
Thanks for your help.