""ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (find) (No CVE)""

SID: 2044532

Revision: 1

Class Type: attempted-admin

Metadata: affected_product Router, attack_target Networking_Equipment, created_at 2023_03_08, deployment Perimeter, deployment Internal, signature_severity Major, updated_at 2023_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services

Reference:

• Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: any

Flow: to_server,established

Contents:

• Value: "POST"

• Value: "/ubus/"

• Value: "|22|exec|22|,|7b 22|command|22 3a 22|find"

Within:

PCRE:

Special Options:

• http_method

• http_uri

• fast_pattern

source