#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar? Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_09_28;)

Added 2020-08-05 19:13:58 UTC


#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar? Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; metadata: former_category EXPLOIT; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_28;)

Added 2018-09-13 19:54:08 UTC


Added 2018-09-13 18:01:48 UTC


#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar? Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; metadata: former_category EXPLOIT; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_28;)

Added 2017-09-28 16:29:34 UTC


alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar? Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; metadata: former_category EXPLOIT; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_25;)

Added 2017-09-26 19:24:52 UTC


#alert tcp any any -> $HOME_NET 445 (msg:"ET DELETED [PTsecurity] DoublePulsar? Backdoor installation communication"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; fast_pattern; pcre:"/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; byte_test: 2, >, 0x0008, 52, relative, little; threshold:type limit, count 1, seconds 60, track by_dst; flowbits: set, SubCommand?.Unimplemented; metadata: former_category TROJAN; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_25;)

Added 2017-09-25 18:16:44 UTC


alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN [PTsecurity] DoublePulsar? Backdoor installation communication"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; fast_pattern; pcre:"/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; byte_test: 2, >, 0x0008, 52, relative, little; threshold:type limit, count 1, seconds 60, track by_dst; flowbits: set, SubCommand?.Unimplemented; metadata: former_category TROJAN; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_25;)

Added 2017-09-25 17:52:30 UTC


Topic revision: r1 - 2020-08-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats