alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TerraMaster TOS RCE via OS Command Injection Inbound (CVE-2020-28188)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|Event|3d|"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; content:"wget"; distance:0; content:!"oast.fun"; http.header_names; content:!"Referer"; threshold:type limit, seconds 600, count 5, track by_src; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet; classtype:attempted-admin; sid:2034200; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_10_15, cve CVE_2020_28188, deployment Perimeter, deprecation_reason Relevance, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_26, reviewed_at 2024_06_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)