Snort Sig ?number? FGdump rule

 

  • GEN:SID
  • Message
  • Summary
  • Impact
  • Affected Systems
  • Attack Scenarios
  • Ease of Attack
  • False Positives
  • False Negatives
  • Corrective Action
  • Contributors
  • Additional References
  • ????
  • FGdump Session Established test file created.
  • This event is generated when an FGdump attempts to create a test file on the victim's windows computer.
  • If sucessful, it is highly likely that dumping the SAM hashes will succeed.
  • Windows Sever/Workstation 2000, XP, ME, 2003, Vista (32 and 64-bit versions of all)
  • Offline Password cracking / bruteforcing.
  • Moderate, attacker must have Administrator level access or System level access to or on the victims machine.
  • None known.
  • None known.
  • Disallowing access to shares by firewalling or NTFS ACL's. Antivirus software can be effective at preventing access and or intercepting the threat.
  • Rich Rumble <richrumble a+ gmail.com>
  • None.

    This rule can be used to pick up on FGDump and PWDump6 as they have much in common:
    alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT Foofus.net Password dumping, dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; classtype:suspicious-filename-detect; sid:999999; rev:1;)