Rule History

SID: 10001720 • Source: ptrules/open

Versions (2)

Rev: 1

May 15, 2026, 1:35 PM

Current

Rev: 1

Oct 16, 2025, 10:34 AM

Archived

Version DetailsCurrent

Rev: 1 • Jun 24, 2025, 4:00 PM

Message:

ATTACK AD [PTsecurity] Successful ETERNALCHAMPION attack (MS17-010 / CVE-2017-0146)

Rule:

alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] Successful ETERNALCHAMPION attack (MS17-010 / CVE-2017-0146)"; flow:established, from_server; content:"|FF|SMB|A0|"; content:"Frag"; within:115; flowbits:isset, EternalRomance.RaceCondition.Attempt; reference:cve, 2017-0146; reference:url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference:url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference:url, rules.ptsecurity.com; classtype:successful-admin; sid:10001720; rev:1;)

Created:

Jun 24, 2025, 4:00 PM

Updated:

Mar 17, 2026, 2:15 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

May 15, 2026, 1:35 PM

Filename:

rules/ptopen-windows.rules