Rule History

SID: 10001720 • Source: ptrules/open

Versions (7)

Version DetailsCurrent

Rev: 1 • Jun 24, 2025, 4:00 PM

Message:

ATTACK AD [PTsecurity] Successful ETERNALCHAMPION attack (MS17-010 / CVE-2017-0146)

Rule:

alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Successful ETERNALCHAMPION attack (MS17-010 / CVE-2017-0146)"; flow: established, from_server; content: "|FF|SMB|A0|"; content: "Frag"; within: 115; flowbits: isset, EternalRomance.RaceCondition.Attempt; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10001720; rev: 1;)

Created:

Jun 24, 2025, 4:00 PM

Updated:

Mar 17, 2026, 2:15 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

May 15, 2026, 1:35 PM

Filename:

rules/ptopen-windows.rules