""ET EXPLOIT Possible REvil 0day Exploitation Activity Inbound""

SID: 2033236

Revision: 1

Class Type: bad-unknown

Metadata: created_at 2021_07_05, updated_at 2021_07_05

Reference:

• Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HTTP_SERVERS,$HOME_NET]

Destination Port: any

Flow: established,to_server

Contents:

• Value: "|0a|procCreate|28 22|Archive"

• Value: "procStep|28|"

• Value: "+++SQLCMD|3a 22|+"

• Value: "|22|DELETE|20|FROM"

Within: 100

PCRE:

Special Options:

source