Rule History

SID: 2024216 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 2 • Apr 17, 2017, 12:00 PM

Message:

ET EXPLOIT Possible DOUBLEPULSAR Beacon Response

Rule:

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)

Created:

Apr 17, 2017, 12:00 PM

Updated:

Sep 28, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-exploit.rules