ATTACK [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool

SID: 10001254Rev: 21 views
Sourceptresearch/attackdetection
CreatedDecember 13, 2021
UpdatedDecember 13, 2021
Classificationattempted-admin
alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow:to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:2, >, 0x0008, 52, relative, little; pcre:"/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s"; flowbits:set, SMB.Trans2.SubCommand.Unimplemented; reference:url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10001254; rev:2;)

References

urlmsdn.microsoft.com/en-us/library/ee441654.aspx
urlgithub.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!