""ET WEB_SERVER Suspected HrServ Webshell Related Activity M2""
SID: 2050029
Revision: 1
Class Type: trojan-activity
Metadata: attack_target Web_Server, created_at 2024_01_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, updated_at 2024_01_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component
Reference:
-
md5
-
d0fe27865ab271963e27973e81b77bae
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_server
Contents:
-
Value: "POST"
-
Value: "/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/" Depth: 38
-
Value: "&cp="
-
Value: "&client="
-
Value: "&xssi="
-
Value: "&hl="
-
Value: "&authuser="
-
Value: "&pq="
Within: 8
PCRE: "/&cp=[16]/U"
Special Options:
-
http_method
-
http_uri
-
fast_pattern
-
http_uri
-
http_uri
-
http_uri
-
http_uri
-
http_uri
-
http_uri