Rule History

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, signature_severity Major, updated_at 2019_07_26;)