alert tcp $HOME_NET any -> $HOME_NET 445 (
msg:"Possible SMB lateral movement enumeration";
flow:to_server,established;
content:"|FF|SMB"; depth:4;
threshold:type both, track by_src, count 15, seconds 60;
sid:1000001; rev:1;
index=auth sourcetype=linux_secure "Failed password" | stats count by src_ip, user | where count > 20
index=proxy "POST" url="*/oauth/token" | stats count by client_ip | where count > 100
index=endpoint process_name=powershell.exe command_line="*EncodedCommand*"