Rule History

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link NAS devices Backdoor Account Access and Command Injection Attempt (CVE-2024-3273)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/nas_sharing.cgi?"; startswith; content:"user|3d|messagebus"; fast_pattern; content:"passwd|3d|"; content:"cmd|3d|15"; content:"system|3d|"; reference:url,supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383; reference:cve,2024-3273; classtype:attempted-admin; sid:2051955; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_04_08, cve CVE_2024_3273, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_04_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)