netgear_rce Scenario

« netgear_rce »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:netgearspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect Netgear RCE DGN1000/DGN220 exploitation attempts

Installation

cscli scenarios install crowdsecurity/netgear_rce

Description

Detects attempts of exploit of Netgear DGN1000 / DGN2200 Remote Command Execution.

Reference: https://www.exploit-db.com/exploits/25978

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/netgear_rce
4description: "Detect Netgear RCE DGN1000/DGN220 exploitation attempts"
5filter: |
6  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Lower(QueryUnescape(evt.Meta.http_path)) startsWith Lower('/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=')
7groupby: "evt.Meta.source_ip"
8blackhole: 2m
9references:
10  - "https://www.exploit-db.com/exploits/25978"
11labels:
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1595
16    - attack.T1190
17    - cve.CVE-2024-12847
18  behavior: "http:exploit"
19  label: "Netgear RCE"
20  service: netgear
21  remediation: true
22

Hub configuration

« netgear_rce »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:netgearCVE-2024-12847spoofable:0MITRE:T1595MITRE:T1190confidence:3

« netgear_rce »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:netgearspoofable:0MITRE:T1595MITRE:T1190confidence:3