ATTACK AD [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool (CVE-2017-0144)
Sourceptrules/open
Fileptopen-windows.rules
CreatedJune 24, 2025
UpdatedJune 24, 2025
Classificationattempted-admin
alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool (CVE-2017-0144)" ; flow:to_server, established, no_stream ; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:2, >, 0x0008, 52, relative, little ; pcre:"/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s" ; reference:cve, 2017-0144 ; reference:url, msdn.microsoft.com/en-us/library/ee441654.aspx ; reference:url, rules.ptsecurity.com ; classtype:attempted-admin; sid:10001254; rev:6;)
References
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!