CVE-2022-44877 Configuration

« CVE-2022-44877 »
v0.3 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:centosspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect CVE-2022-44877 exploits

Installation

cscli scenarios install crowdsecurity/CVE-2022-44877

Description

Trigger exploits of CVE-2022-44877 Centos Web Panel 7 Unauthenticated Remote Code Execution

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-44877

YAML Configuration

1type: trigger
2#debug: true
3name: crowdsecurity/CVE-2022-44877
4description: "Detect CVE-2022-44877 exploits"
5filter: |
6  Lower(evt.Meta.http_path) contains '/index.php' &&
7  Upper(evt.Parsed.verb) == 'POST' &&
8  evt.Meta.http_status == '302' &&
9  Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
10
11blackhole: 1m
12groupby: "evt.Meta.source_ip"
13labels:
14  type: exploit
15  remediation: true
16  classification:
17    - attack.T1595
18    - attack.T1190
19    - cve.CVE-2022-44877
20  spoofable: 0
21  confidence: 3
22  behavior: "http:exploit"
23  label: "Centos Webpanel CVE-2022-44877"
24  service: centos
25

Hub configuration

« CVE-2022-44877 »v0.3 by crowdsecurityAttack scenarioremediation:truetype:exploit service:centosCVE-2022-44877spoofable:0MITRE:T1595MITRE:T1190confidence:3

« CVE-2022-44877 »
v0.3 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:centosspoofable:0MITRE:T1595MITRE:T1190confidence:3