zoneminder_cve-2022-39290 Scenario

« zoneminder_cve-2022-39290 »
v0.2 by baudneo
Attack scenarioremediation:trueservice:zoneminderspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect cve-2022-39290 exploitation attempts

Installation

cscli scenarios install baudneo/zoneminder_cve-2022-39290

YAML Configuration

1type: trigger
2format: 2.0
3#debug: true
4#/zm/index.php?view=options&tab=users&action=delete&markUids%5B%5D=13&deleteBtn=Delete
5name: baudneo/zoneminder_cve-2022-39290
6description: "Detect cve-2022-39290 exploitation attempts"
7filter: |
8  evt.Meta.log_type in ["http_access-log", "http_error-log"]
9  and Upper(evt.Meta.http_verb) == "GET"
10  and  Upper(evt.Meta.http_path) matches Upper('.*action=.*')
11groupby: "evt.Meta.source_ip"
12blackhole: 2m
13labels:
14  classification:
15    - attack.T1595
16    - attack.T1190
17    - cve.CVE-2022-39290
18  spoofable: 0
19  confidence: 3
20  service: zoneminder
21  behavior: "http:exploit"
22  label: "Zoneminder CVE-2022-39290"
23  remediation: true
24

Hub configuration

« zoneminder_cve-2022-39290 »v0.2 by baudneoAttack scenarioremediation:trueservice:zoneminderCVE-2022-39290spoofable:0MITRE:T1595MITRE:T1190confidence:3

« zoneminder_cve-2022-39290 »
v0.2 by baudneo
Attack scenarioremediation:trueservice:zoneminderspoofable:0MITRE:T1595MITRE:T1190confidence:3