Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-1147)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__SUGGESTIONSCACHE__"; fast_pattern; content:"<DataSet"; nocase; distance:0; content:"System.Data.Services.Internal.ExpandedWrapper"; nocase; distance:0; reference:url,srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html; reference:cve,2020-1147; classtype:attempted-admin; sid:2034510; rev:2; metadata:created_at 2021_11_18, cve CVE_2020_1147, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)