""ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M2""
SID: 2049388
Revision: 1
Class Type: successful-recon-limited
Metadata: attack_target Server, created_at 2023_11_29, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag WebShell, updated_at 2023_11_29, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component
Reference:
Protocol: tcp
Source Network: [$HTTP_SERVERS,$HOME_NET]
Source Port: $HTTP_PORTS
Destination Network: $EXTERNAL_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "root|3a 21 3a|"
-
Value: "|3a|0|3a|"
-
Value: "|3a 3a 3a 0a|"
Within: 17
PCRE:
Special Options:
-
file_data
-
fast_pattern