Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potentially Malicious .cab Inbound (CVE-2020-1300)"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MSCF"; startswith; content:"../../"; distance:0; fast_pattern; pcre:"/^[a-z0-9\-_\.\/]+\x00/Ri"; reference:url,www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files; classtype:attempted-admin; sid:2030493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_10, cve CVE_2020_1300, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_07_10;)