alert smb any any -> $HOME_NET any (msg:"ET MALWARE [ANY.RUN] Impacket Framework Default SMB Server GUID Detected"; flow:established,to_client; content:"SMB"; offset:5; depth:3; content:"|00 00|"; distance:8; within:2; byte_jump:2,-10,relative,little, post_offset 2; content:"|41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; fast_pattern; within:16; threshold:type limit, seconds 60, count 1, track by_dst; reference:url,github.com/fortra/impacket; reference:md5,53b820f2ab8dc03987109c6282d9d74b; reference:url,app.any.run/tasks/dd2e2001-0808-440f-9115-29b36a77c6d1; classtype:credential-theft; sid:2051432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state plaintext, created_at 2024_02_29, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Significant, confidence High, signature_severity Major, tag impacket, updated_at 2026_01_20; target:dest_ip;)