Versions (3)
Version DetailsCurrent
Rev: 8 • Jul 21, 2024, 12:00 AM🐾 - 🔔 Suspicious .NET TLS connection to 💾 Veeam Backup Service 🥷 - T1210 - seen in CVE-2023-27532 exploit
alert tcp-pkt any any -> $HOME_NET 9401 (msg:"🐾 - 🔔 Suspicious .NET TLS connection to 💾 Veeam Backup Service 🥷 - T1210 - seen in CVE-2023-27532 exploit"; flow:to_server, stateless; content:"|00 01 00 01 02 02 1e 6e 65 74 2e 74 63 70 3a 2f 2f|"; fast_pattern; content:"|03 08|"; endswith; dsize:<100; reference:url,https://attack.mitre.org/techniques/T1210/; reference:url,https:https://www.horizon3.ai/attack-research/attack-blogs/veeam-backup-and-replication-cve-2023-27532-deep-dive/; reference:url,https://github.com/horizon3ai/CVE-2023-27532; reference:url,https://github.com/puckiestyle/CVE-2023-27532-RCE-Only; reference:url,https://www.group-ib.com/blog/estate-ransomware/; metadata:created_at 2024_07_21, updated_at 2024_07_26, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_of_Remote_Services; sid:3321304; rev:8; classtype:targeted-activity;)
Jul 21, 2024, 12:00 AM
Jul 26, 2024, 12:00 PM
Jul 21, 2024, 12:00 AM
May 29, 2025, 11:12 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules