ATTACK [PTsecurity] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool

SID: 10001256Rev: 24 views
Sourceptresearch/attackdetection
CreatedMarch 30, 2022
UpdatedMarch 30, 2022
Classificationattempted-admin
alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow:to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|0E 00|"; distance:52; within:2; flowbits:set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference:url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10001256; rev:2;)

References

urlmsdn.microsoft.com/en-us/library/ee441654.aspx
urlgithub.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!