Rule History

alert tcp-pkt any any -> $HOME_NET 445 (msg:"🐾 - 🔔 SMB - Suspicious session setup request + NTLMSSP_AUTH 🪟 Possible Impacket or Metasploit smb connection (no DFS support + null hostname) 🥷 - T1021.002"; flow: to_server, stateless; content:"|fe 53 4d 42 40 00 01 00 00 00 00 00 01 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 01 00 00 00 00 00 00 00 00 58 00|"; fast_pattern; content:"|4e 54 4c 4d 53 53 50 00 03 00 00 00|"; content:"|00 00 00|"; content:"|00 00 00|"; distance:1; content:"|00 00 00 00 00 00 00 00|"; reference:url,https://attack.mitre.org/techniques/T1021/002/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2024_01_06, updated_at 2024_04_23, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1021_002, mitre_technique_name Remote_Services_SMB_Windows_Admin_Shares; sid:3301111; rev:5; classtype:attempted-recon;)