ET DELETED PHP Code in User-Agent (Inbound) - Possible Command Injections - Suricata Rule 2036728 (et/open)

ET DELETED PHP Code in User-Agent (Inbound) - Possible Command Injections

SID: 2036728Rev: 20 viewsHistory

Sourceet/open

CreatedMay 31, 2022

UpdatedJune 1, 2022

Classificationbad-unknown

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET DELETED PHP Code in User-Agent (Inbound) - Possible Command Injections"; flow:established,to_server; http.user_agent; content:"|3c 3f|php"; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50844; classtype:bad-unknown; sid:2036728; rev:2; metadata:attack_target Client_and_Server, created_at 2022_05_31, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Duplicate, performance_impact Low, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_01, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

References

url	cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers
url	www.exploit-db.com/exploits/50844

Metadata

attack targetClient_and_Server

created at2022_05_31

deploymentSSLDecrypt

deprecation reasonDuplicate

performance impactLow

signature severityMinor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2022_06_01

mitre tactic idTA0008

mitre tactic nameLateral_Movement

mitre technique idT1210

mitre technique nameExploitation_Of_Remote_Services

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!