Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025)"; flow:established,to_client; xbits:isset,ET.PROPFIND,track ip_dst; http.stat_code; content:"200"; http.content_type; content:"application/x-mswinurl"; bsize:22; file.data; content:"[InternetShortcut]"; content:"URL=file://"; distance:0; fast_pattern; content:".vbs"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049398; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_29, cve CVE_2023_36025, deployment Perimeter, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_15, reviewed_at 2024_10_14;)