Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
Sigma rule (View on GitHub)
1title: Cisco ASA FTD Exploit CVE-2020-3452
2id: aba47adc-4847-4970-95c1-61dce62a8b29
3status: test
4description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
5references:
6 - https://twitter.com/aboul3la/status/1286012324722155525
7 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
8author: Florian Roth (Nextron Systems)
9date: 2021/01/07
10modified: 2023/01/02
11tags:
12 - attack.t1190
13 - attack.initial_access
14 - cve.2020.3452
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection_endpoint:
20 cs-uri-query|contains:
21 - '+CSCOT+/translation-table'
22 - '+CSCOT+/oem-customization'
23 selection_path_select:
24 cs-uri-query|contains:
25 - '&textdomain=/'
26 - '&textdomain=%'
27 - '&name=/'
28 - '&name=%'
29 select_status_code:
30 sc-status: 200
31 condition: selection_endpoint and selection_path_select and select_status_code
32fields:
33 - c-ip
34 - c-dns
35falsepositives:
36 - Unknown
37level: high
References
-
-
GitHub - darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter: CISCO CVE-2020-3452 Scanner & Exploiter
CISCO CVE-2020-3452 Scanner & Exploiter. Contribute to darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter development by creating an account on GitHub.
Read More
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt