ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting - Suricata Rule 2024898 (et/open)

ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting

SID: 2024898Rev: 10 viewsHistory

Sourceet/open

CreatedOctober 23, 2017

UpdatedJuly 26, 2019

Classificationtargeted-activity

alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

References

url	www.us-cert.gov/ncas/alerts/TA17-293A
url	www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf

Metadata

attack targetClient_Endpoint

created at2017_10_23

deploymentPerimeter

confidenceMedium

signature severityMajor

updated at2019_07_26

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!