Permalink
Cannot retrieve contributors at this time
10 lines (5 sloc)
2.44 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001254; rev: 2;) | |
| #alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001255; rev: 3;) | |
| #alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001256; rev: 2;) | |
| alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; reference: url, github.com/ptresearch/AttackDetection; sid: 10001443; rev: 1;) | |
| alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; reference: url, github.com/ptresearch/AttackDetection; sid: 10001444; rev:1;) | |