Rule History

SID: 2067419 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 3 • Feb 9, 2026, 12:00 PM

Message:

ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe Credentials Operation (CVE-2025-67813)

Rule:

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe Credentials Operation (CVE-2025-67813)"; flow:established,to_server; flowbits:isset,ET.QuestKACE.SMB; content:"SMB"; depth:8; content:"|fe ff 00 fe ff 00 fe ff 16|C|00|r|00|e|00|d|00|e|00|n|00|t|00|i|00|a|00|l|00|s|00|"; fast_pattern; reference:url,www.netspi.com/blog/technical-blog/adversary-simulation/pipe-dreams-remote-code-execution-via-quest-desktop-authority-named-pipe/; reference:cve,2025-67813; classtype:attempted-user; sid:2067419; rev:3; metadata:attack_target Server, created_at 2026_02_09, cve CVE_2025_67813, deployment Perimeter, deployment Internal, former_category INFO, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

Created:

Feb 9, 2026, 12:00 PM

Updated:

Feb 10, 2026, 12:00 PM

DB Created:

Feb 9, 2026, 10:34 PM

DB Updated:

Feb 10, 2026, 11:34 PM

Filename:

rules/emerging-exploit.rules