Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [exec] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=exec"; fast_pattern; content:"&newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034006; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)