Back to Rule

Rule History

SID: 10001719 • Source: ptrules/open

Versions (7)

Rev: 1
May 15, 2026, 1:35 PM
Current
Rev: 1
Oct 16, 2025, 10:34 AM
Archived
Rev: 1
Oct 7, 2025, 5:34 PM
Archived
Rev: 1
Jul 14, 2025, 6:34 AM
Archived
Rev: 1
Jun 19, 2025, 11:34 AM
Archived
Rev: 1
Jun 11, 2025, 11:34 AM
Archived
Rev: 1
Dec 3, 2024, 4:43 PM
Archived

Version DetailsCurrent

Rev: 1Jun 24, 2025, 4:00 PM

ATTACK AD [PTsecurity] ETERNALCHAMPION Exploitation attempt (MS17-010 / CVE-2017-0146)

alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] ETERNALCHAMPION Exploitation attempt (MS17-010 / CVE-2017-0146)"; flow:established, no_stream, to_server; content:"|FF|SMB|A1|"; flowbits:isset, EternalRomance.RaceCondition.Possible; flowbits:set, EternalRomance.RaceCondition.Attempt; threshold:type both, track by_src, count 1, seconds 60; reference:cve, 2017-0146; reference:url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference:url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10001719; rev:1;)

Jun 24, 2025, 4:00 PM

Mar 17, 2026, 2:15 PM

Oct 16, 2025, 10:34 AM

May 15, 2026, 1:35 PM

rules/ptopen-windows.rules