1name: crowdsecurity/vpatch-CVE-2023-40044
2description: "WS_FTP .NET deserialize RCE (CVE-2023-40044)"
3rules:
4  - and:
5    - zones:
6      - URI
7      transform:
8      - lowercase
9      match:
10        type: endsWith
11        value: /aht/
12    - zones:
13      - METHOD
14      match:
15        type: equals
16        value: POST
17    - zones:
18      - BODY_ARGS
19      transform:
20      - b64decode
21      - lowercase
22      match:
23        type: contains
24        value: "<s:string>cmd</s:string>"
25labels:
26  type: exploit
27  service: http
28  confidence: 3
29  spoofable: 0
30  behavior: "http:exploit"
31  label: "WS_FTP .NET deserialize RCE"
32  classification:
33   - cve.CVE-2023-40044
34   - attack.T1595
35   - attack.T1190
36   - cwe.CWE-502
37
38
39