Signature
alert tcp any any -> $HOME_NET 445 (msg:"NF - EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,networkforensic.dk; reference:url,doc.emergingthreats.net; metadata:11122018; classtype:attempted-admin; sid:5013402; rev:1;)
Recommendations/Investigative actions
Authorize the Link. If the link was approved in terms of the IP addresses and ports - archive and baseline the rule. If not - check the connection and investigate the relevant IP address, check if the IP address is new on the network and if there are additional alerts related to this IP address.