Versions (3)
Version DetailsCurrent
Rev: 1 • Nov 29, 2023, 12:00 PMET ATTACK_RESPONSE Possible /etc/shadow via HTTP M3
alert http [$HTTP_SERVERS,$HOME_NET] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M3"; flow:established,to_client; http.response_body; content:"root|3a 21 21 3a|"; fast_pattern; content:"|3a|0|3a|"; within:9; content:"|3a 3a 3a 0a|"; within:17; reference:url,linuxize.com/post/etc-shadow-file/; reference:url,access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/system_administration_guide/s2-redhat-config-users-process; classtype:successful-recon-limited; sid:2049389; rev:1; metadata:attack_target Server, created_at 2023_11_29, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_29, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)
Nov 29, 2023, 12:00 PM
Nov 29, 2023, 12:00 PM
Nov 29, 2023, 10:00 PM
Aug 18, 2025, 8:35 PM
rules/emerging-attack_response.rules