ET WEB_SERVER Suspected China Chopper Variant Webshell Command (inbound)

SID: 2038490Rev: 10 views
History
Sourceet/open
CreatedAugust 11, 2022
UpdatedAugust 11, 2022
Classificationattempted-admin
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Suspected China Chopper Variant Webshell Command (inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"kfaero="; startswith; fast_pattern; content:"&Z1="; distance:0; within:5; content:"&Z2="; distance:0; reference:url,www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/; classtype:attempted-admin; sid:2038490; rev:1; metadata:attack_target Web_Server, created_at 2022_08_11, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_08_11, reviewed_at 2024_05_07;)

References

urlwww.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

Metadata

attack targetWeb_Server
created at2022_08_11
deploymentPerimeter
confidenceMedium
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2022_08_11
reviewed at2024_05_07

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!