Versions (3)
Version DetailsCurrent
Rev: 1 • Nov 29, 2023, 12:00 PMET ATTACK_RESPONSE Possible /etc/shadow via HTTP M4
alert http [$HTTP_SERVERS,$HOME_NET] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M4"; flow:established,to_client; http.response_body; content:"root|3a 24|"; fast_pattern; content:"|3a|0|3a|"; distance:0; content:"|3a 3a 3a 0a|"; within:17; reference:url,linuxize.com/post/etc-shadow-file/; classtype:successful-recon-limited; sid:2049390; rev:1; metadata:attack_target Server, created_at 2023_11_29, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_29, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
Nov 29, 2023, 12:00 PM
Nov 29, 2023, 12:00 PM
Nov 29, 2023, 10:00 PM
Aug 18, 2025, 8:35 PM
rules/emerging-attack_response.rules