🐾 - 🔔 Suspicious .NET TLS connection to 💾 Veeam Backup Service 🥷 - T1210 - seen in CVE-2023-27532 exploit

SID: 3321304Rev: 8202 views
History
Sourcepawpatrules
CreatedJuly 21, 2024
UpdatedJuly 26, 2024
Classificationtargeted-activity
alert tcp-pkt any any -> $HOME_NET 9401 (msg:"🐾 - 🔔 Suspicious .NET TLS connection to 💾 Veeam Backup Service 🥷 - T1210 - seen in CVE-2023-27532 exploit"; flow:to_server, stateless; content:"|00 01 00 01 02 02 1e 6e 65 74 2e 74 63 70 3a 2f 2f|"; fast_pattern; content:"|03 08|"; endswith; dsize:<100; reference:url,https://attack.mitre.org/techniques/T1210/; reference:url,https:https://www.horizon3.ai/attack-research/attack-blogs/veeam-backup-and-replication-cve-2023-27532-deep-dive/; reference:url,https://github.com/horizon3ai/CVE-2023-27532; reference:url,https://github.com/puckiestyle/CVE-2023-27532-RCE-Only; reference:url,https://www.group-ib.com/blog/estate-ransomware/; metadata:created_at 2024_07_21, updated_at 2024_07_26, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_of_Remote_Services; sid:3321304; rev:8; classtype:targeted-activity;)

References

urlhttps://attack.mitre.org/techniques/T1210/
urlhttps:https://www.horizon3.ai/attack-research/attack-blogs/veeam-backup-and-replication-cve-2023-27532-deep-dive/
urlhttps://github.com/horizon3ai/CVE-2023-27532
urlhttps://github.com/puckiestyle/CVE-2023-27532-RCE-Only
urlhttps://www.group-ib.com/blog/estate-ransomware/

Metadata

created at2024_07_21
updated at2024_07_26
signature severityMajor
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0008
mitre tactic nameLateral_Movement
mitre technique idT1210
mitre technique nameExploitation_of_Remote_Services

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!