""ET WEB_SERVER Suspected Generic Webshell Activity (Outbound)""
SID: 2039079
Revision: 1
Class Type: web-application-attack
Metadata: attack_target Web_Server, created_at 2022_10_03, deployment Perimeter, signature_severity Major, updated_at 2022_10_03
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: $HTTP_PORTS
Destination Network: $EXTERNAL_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "200"
-
Value: "|20|id=|22|L_p|22|"
-
Value: "Program"
-
Value: "|22|xpath|22 20|type=|22|text|22 20|value=|22|c|3a 5c|windows|5c|system32|5c|cmd.exe|22|"
-
Value: "|22|xcmd|22 20|type=|22|text|22 20|value=|22|/c net user|22 20|id=|22|xcmd|22|"
Within:
PCRE:
Special Options:
-
http_stat_code
-
file_data