alert tcp any any -> $HOME_NET 445 (msg: "🐾 - 🚨 PsExec service creation 🥷 - T1569.002"; flow: to_server, stateless; content: "|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2d|"; content: "|2d 00 73 00 74 00 64 00 69 00 6e|"; content: "|53 4d 42 40|"; fast_pattern; target: dest_ip; reference: url,https://attack.mitre.org/techniques/T1569/002/; reference: url,https://learn.microsoft.com/en-us/sysinternals/downloads/psexec; metadata: created_at 2025_03_30, updated_at 2025_03_30, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1569_002, mitre_technique_name System_Services-Service_Execution; sid: 3321439; rev: 1; classtype: policy-violation;)