Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-06-28 15:46:07 +0000

Eliott gravatar image

How to flag DRSUAPI_REPLICA_ADD signature ?

Hi,

I'm currently working on a way to identify and block DC Shadow attack with and IDS/IPS.

After some tests I'm able to execute DC Shadow attack and capture the traffic from the client to the Domain Controller. Now I'm trying to identify and extract a generic signature to identify the operation "DRSUAPI_REPLICA_ADD". https://ibb.co/hf7dAT

At the moment I'm just able to extract the full signature with data so it's just blocking DC Shadow attack with specific parameters.

Do you have any ideas to identify the "DRSUAPI_REPLICA_ADD" itself without associated datas?

Thanks for your help.

How to flag DRSUAPI_REPLICA_ADD signature ?

Hi,

I'm currently working on a way to identify and block DC Shadow attack with and IDS/IPS.

After some tests I'm able to execute DC Shadow attack and capture the traffic from the client to the Domain Controller. Now I'm trying to identify and extract a generic signature to identify the operation "DRSUAPI_REPLICA_ADD". "DRSUAPI-REPLICA-ADD". https://ibb.co/hf7dAT

At the moment I'm just able to extract the full signature with data so it's just blocking DC Shadow attack with specific parameters.

Do you have any ideas to identify the "DRSUAPI_REPLICA_ADD" "DRSUAPI-REPLICA-ADD" itself without associated datas?

Thanks for your help.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2