""ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile""

SID: 2017205

Revision: 1

Class Type: attempted-user

Metadata: created_at 2013_07_27, updated_at 2013_07_27

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HTTP_SERVERS

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "WScript.Shell"

• Value: ".Run"

Within: 100

PCRE: "/[\r\n\s]+(?P(a-z|+([a-z0-9])([a-z0-9])))[\r\n\s]\x3d[\r\n\s]CreateObject(\s[\x22\x27]Wscript.Shell[\x27\x22]\s).+?(?P=var1).run/si"

Special Options:

• nocase

• nocase

source