Et rule 2034439 - Magic-SigExplorer

""ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server""

SID: 2034439

Revision: 1

Class Type: web-application-attack

Metadata: attack_target Server, created_at 2021_11_12, deployment Perimeter, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"
Value: "|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"

Within:

PCRE:

Special Options:

file_data
nocase
fast_pattern

source