alert tcp any any -> $HOME_NET 445 (msg:"🐾 - 🚨 PsExec service creation 🥷 - T1569.002"; flow:to_server, stateless; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2d|"; content:"|2d 00 73 00 74 00 64 00 69 00 6e|"; content:"|53 4d 42 40|"; fast_pattern; target:dest_ip; reference:url,https://attack.mitre.org/techniques/T1569/002/; reference:url,https://learn.microsoft.com/en-us/sysinternals/downloads/psexec; metadata:created_at 2025_03_30, updated_at 2025_03_30, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1569_002, mitre_technique_name System_Services-Service_Execution; sid:3321439; rev:1; classtype:policy-violation;)