Rule Category


Alert Message

MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt

Rule Explanation

This event is generated when a host infected with Shamoon malware attempts to propagate to another host via SMB. Impact: A host is likely infected with Shamoon malware. Details: Shamoon is known for malware such as Disttrack which steals files and documents before destroying the hard drive of the infected host. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos Intelligence Group

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:

Additional Links

Rule Vulnerability

CVE Additional Information