Versions (2)
Version DetailsCurrent
Rev: 4 • Feb 9, 2026, 12:00 PMET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe ImpersonateAdmin Operation (CVE-2025-67813)
alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Quest KACE Desktop Authority Insecure Named Pipe ImpersonateAdmin Operation (CVE-2025-67813)"; flow:established,to_server; flowbits:isset,ET.QuestKACE.SMB; content:"SMB"; depth:8; content:"|fe ff 00 fe ff 00 fe ff 20|I|00|m|00|p|00|e|00|r|00|s|00|o|00|n|00|a|00|t|00|e|00|A|00|d|00|m|00|i|00|n|00|"; fast_pattern; reference:url,www.netspi.com/blog/technical-blog/adversary-simulation/pipe-dreams-remote-code-execution-via-quest-desktop-authority-named-pipe/; reference:cve,2025-67813; classtype:attempted-admin; sid:2067420; rev:4; metadata:attack_target Server, created_at 2026_02_09, cve CVE_2025_67813, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Feb 9, 2026, 12:00 PM
Feb 10, 2026, 12:00 PM
Feb 9, 2026, 10:34 PM
Feb 10, 2026, 11:34 PM
rules/emerging-exploit.rules