Rule History

alert smb any any -> $HOME_NET any (msg:"ET POLICY Possible winexe over SMB - Possible Lateral Movement"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|5c 00|a|00|h|00|e|00|x|00|e|00|c|00 00 00|"; fast_pattern; endswith; nocase; reference:url,attack.mitre.org/software/S0191/; classtype:bad-unknown; sid:2026879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2020_11_10, reviewed_at 2024_05_06, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1570, mitre_technique_name Lateral_Tool_Transfer;)