alert tcp any any -> $HOME_NET 445 (msg: “[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool”; flow: to_server, established; content: “|FF|SMB2|00 00 00 00|”; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: “/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/”; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;) alert tcp any […]
-
Recent Posts
- JSON ContentTypeHandler
- Mac OS X vulnerability – execution of arbitrary Javascript code without restrictions
- Snort rules for Petya ransomware
- HIDDEN COBRA – DDoS Botnet Infrastructure
- Unauthenticated buffer overflow exploit
- Python – exploit script
- Bind mounts
- Autodafé
- Sulley request designed to fuzz a Web server
- General Purpose Fuzzer (GPF)
Tags
Contact
rniko@cryptolab.net
License