Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025)"; flow:established,to_client; xbits:isset, ET.PROPFIND,track ip_dst; http.stat_code; content:"200"; http.content_type; content:"application/x-mswinurl"; bsize:22; file.data; content:"[InternetShortcut]"; content:"URL=file://"; distance:0; fast_pattern; content:".zip"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_27, cve CVE_2023_36025, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_13, reviewed_at 2024_10_14;)