thinkphp-cve-2018-20062 Configuration

« thinkphp-cve-2018-20062 »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:thinkphpspoofable:0MITRE:T1190MITRE:T1595confidence:3

Detect ThinkPHP CVE-2018-20062 exploitation attemps

Installation

cscli scenarios install crowdsecurity/thinkphp-cve-2018-20062

YAML Configuration

1type: trigger
2format: 2.0
3#debug: true
4name: crowdsecurity/thinkphp-cve-2018-20062
5description: "Detect ThinkPHP CVE-2018-20062 exploitation attemps"
6filter: |
7  evt.Meta.log_type in ["http_access-log", "http_error-log"] and RegexpInFile(Lower(evt.Meta.http_path), "thinkphp_cve_2018-20062.txt")
8data:
9  - source_url: https://hub-data.crowdsec.net/web/thinkphp_cve_2018-20062.txt
10    dest_file: thinkphp_cve_2018-20062.txt
11    type: regexp
12    strategy: LRU
13    size: 20
14    ttl: 10s
15groupby: "evt.Meta.source_ip"
16blackhole: 2m
17labels:
18  confidence: 3
19  spoofable: 0
20  classification:
21    - attack.T1190
22    - attack.T1595
23    - cve.CVE-2018-20062
24  behavior: "http:exploit"
25  label: "ThinkPHP CVE-2018-20062"
26  remediation: true
27  service: thinkphp
28

Hub configuration

« thinkphp-cve-2018-20062 »v0.6 by crowdsecurityAttack scenarioremediation:trueservice:thinkphpCVE-2018-20062spoofable:0MITRE:T1190MITRE:T1595confidence:3

« thinkphp-cve-2018-20062 »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:thinkphpspoofable:0MITRE:T1190MITRE:T1595confidence:3