Rule History

SID: 2033082 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 2 • Jun 3, 2021, 12:00 PM

Message:

ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt

Rule:

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

Created:

Jun 3, 2021, 12:00 PM

Updated:

Jun 3, 2021, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 21, 2024, 3:00 AM

Filename:

rules/emerging-exploit.rules