Snort Sig ?number? Pwdump rule

 

  • GEN:SID
  • Message
  • Summary
  • Impact
  • Affected Systems
  • Attack Scenarios
  • Ease of Attack
  • False Positives
  • False Negatives
  • Corrective Action
  • Contributors
  • Additional References
  • ????
  • PWdump6 Session Established test file created.
  • This event is generated when an PWdump6 attempts to create a test file on the victim's windows computer.
  • If sucessful, it is highly likely that dumping the SAM hashes will succeed.
  • Windows Sever/Workstation 2000, XP, ME, 2003, Vista (32 and 64-bit versions of all)
  • Offline Password cracking / bruteforcing.
  • Moderate, attacker must have Administrator level access or System level access to or on the victims machine.
  • None known.
  • None known.
  • Disallowing access to shares by firewalling or NTFS ACL's. Antivirus software can be effective at preventing access and or intercepting the threat.
  • Rich Rumble <richrumble a+ gmail.com>
  • None.