alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM Auth Bypass Attempt 2022-12-31"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"module=Users"; nocase; content:"action=Authenticate"; nocase; content:"user_name=1"; nocase; content:"user_password=1"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html; reference:url,sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload; classtype:trojan-activity; sid:2043272; rev:2; metadata:affected_product SugarCRM, attack_target Server, created_at 2023_01_11, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)