Rule History

SID: 2024898 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1 • Oct 23, 2017, 12:00 PM

Message:

ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting

Rule:

alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

Created:

Oct 23, 2017, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-malware.rules