Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
4
Replies

Sig for NT account

bizsnatch
Level 1
Level 1

‎10-08-2004 07:29 AM - edited ‎03-09-2019 09:02 AM

I want to create a signature that will fire on an admin account logging in to NT 4.

account: admin

Any suggestions?

It needs to use the SMB protocol

Labels:
0 Helpful
4 Replies 4

bizsnatch
Level 1
Level 1

‎10-08-2004 08:22 AM

I tried creating a string.tcp sig and using the regex:

[A][a][D][d][M][m][I][i][N][n]

I also tried the hex representation of admin:

[61][00][64][[00]][6d][00][69][00][6e][00][00][00]

Neither worked

0 Helpful

jimwelsh
Level 1
Level 1
In response to bizsnatch

‎10-08-2004 11:49 AM

First, you need to better understand Regular Expression Syntax. This document should help:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch1.htm

Specifically, chars inside square brackets means "any one of these chars". So "[A][a][D][d]" means exactly "AaDd", and "[61][00][64]" means "606" or "604" or "106" or "104".

Try this:

[Aa]\x00[Dd]\x00[Mm]\x00[Ii]\x00[Nn]\x00\x00\x00

It will match "admin" with any combination of upper- or lower-case chars, and has the necessary null chars ("\x00") inserted, including the two nulls at the end that mark the end of the string.

0 Helpful

scothrel
Level 3
Level 3

‎10-08-2004 01:29 PM

It will also likely be Unicode encoded if its sourced from an NT box.

0 Helpful

jimwelsh
Level 1
Level 1
In response to scothrel

‎10-08-2004 01:57 PM

Re: Unicode: Exactly. Hence, the \x00 chars.

0 Helpful
Customers Also Viewed These Support Documents