Rejetto HTTP File Server RCE

calendar Nov 2, 2023 · attack.initial_access attack.t1190 attack.t1505.003 cve.2014.6287 detection.emerging_threats  ·
Share on: linkedin copy

Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287

Sigma rule (View on GitHub)

 1title: Rejetto HTTP File Server RCE
 2id: a133193c-2daa-4a29-8022-018695fcf0ae
 3status: test
 4description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 5references:
 6    - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
 7    - https://www.exploit-db.com/exploits/39161
 8    - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/19
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - attack.t1505.003
16    - cve.2014.6287
17    - detection.emerging_threats
18logsource:
19    category: webserver
20detection:
21    selection_search:
22        cs-uri-query|contains: '?search=%00{.'
23    selection_payload:
24        cs-uri-query|contains:
25            - 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
26            - 'powershell'
27            - 'cmd.exe'
28            - 'cmd /c'
29            - 'cmd /r'
30            - 'cmd /k'
31            - 'cscript'
32            - 'wscript'
33            - 'python'
34            - 'C:\Users\Public\'
35            - '%comspec%'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top