Rule History

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2022_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)