Versions (6)
Version DetailsCurrent
Rev: 2 • Jul 24, 2025, 5:44 PMATTACK [PTsecurity] LSASS Remote Memory Corruption Attempt (MS16-137)
alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Attempt (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 00 00 00 00|"; offset: 4; depth: 9; content: "|FF 00|"; offset: 37; depth: 2; content: "|01 00 00 00 00 00|"; offset: 45; depth: 6; content: "|00 00 00 00 D4 00 00 A0|"; distance: 2; within: 8; content: "|A1 84|"; distance: 2; within: 2; byte_test: 1,!=,0xD1,0,relative; flowbits: set, CVE.2016-7237.Attempt; xbits: set,CVE.2016-7237.Attempt,track ip_dst,expire 15; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000532; rev: 2;)
Jul 24, 2025, 5:44 PM
Jul 24, 2025, 5:44 PM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-attacks.rules