Rule History

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Dahua DSS Security Management Platform Attempted Privilege Escalation"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:37; content:"|2f|admin|2f|cascade|5f 2f|user|5f|edit|2e|action|3f|id|3d|1"; fast_pattern; reference:url,github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E5%9F%8E%E5%B8%82%E5%AE%89%E9%98%B2%E7%9B%91%E6%8E%A7%E7%B3%BB%E7%BB%9F%E5%B9%B3%E5%8F%B0%E7%AE%A1%E7%90%86%E5%AD%98%E5%9C%A8user_edit.action%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053477; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2024_06_12, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)