""ET CURRENT_EVENTS Possible CVE-2017-8759 Soap File DL Over FTP""

SID: 2024729

Revision: 2

Class Type: attempted-admin

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, cve CVE_2017_8759, deployment Perimeter, performance_impact Low, signature_severity Critical, updated_at 2022_05_03

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

• Value: "process.start"

• Value: "<service"

Within:

PCRE: "/^(?:(?!<\/service>).)+?]+location=\s\x22\x27+?]+location=\s?\x22[^\x22]\r?\n[^\x22]?process.start/Rsi"

Special Options:

• nocase

• nocase

source