alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)