CVE-2017-9841 Scenario

« CVE-2017-9841 »
v0.2 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:PHPspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect CVE-2017-9841 exploits

Installation

cscli scenarios install crowdsecurity/CVE-2017-9841

Description

Detects exploit of CVE-2017-9841 vulnerability targeting PHP unit test framework.

YAML Configuration

1type: trigger
2#debug: true
3name: crowdsecurity/CVE-2017-9841
4description: "Detect CVE-2017-9841 exploits"
5filter: |
6    evt.Meta.log_type == 'http_access-log' &&
7    Lower(evt.Meta.http_path) endsWith 'util/php/eval-stdin.php'
8blackhole: 1m
9groupby: "evt.Meta.source_ip"
10labels:
11  type: exploit
12  remediation: true
13  classification:
14    - attack.T1595
15    - attack.T1190
16    - cve.CVE-2017-9841
17  spoofable: 0
18  confidence: 3
19  behavior: "http:exploit"
20  label: "PHP Unit Test Framework CVE-2017-9841"
21  service: PHP
22

Hub configuration

« CVE-2017-9841 »v0.2 by crowdsecurityAttack scenarioremediation:truetype:exploit service:PHPCVE-2017-9841spoofable:0MITRE:T1595MITRE:T1190confidence:3

« CVE-2017-9841 »
v0.2 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:PHPspoofable:0MITRE:T1595MITRE:T1190confidence:3