Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877

calendar Aug 12, 2024 · attack.initial-access attack.t1190 cve.2022-44877 detection.emerging-threats  ·
Share on: linkedin copy

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

Sigma rule (View on GitHub)

 1title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
 2id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
 3status: test
 4description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
 5references:
 6    - https://seclists.org/fulldisclosure/2023/Jan/1
 7    - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-01-20
10tags:
11    - attack.initial-access
12    - attack.t1190
13    - cve.2022-44877
14    - detection.emerging-threats
15logsource:
16    category: webserver
17detection:
18    selection:
19        cs-method: 'POST'
20        cs-uri-query|contains|all:
21            - '/login/index.php'
22            - 'login='
23        cs-uri-query|contains:
24            # TOD: Include other commonly used reverse shells. Examples: https://www.revshells.com/
25            - 'login=$('
26            # Common keywords related to python reverse shells
27            - 'base64'
28            - 'subprocess'
29            - 'socket'
30            - '${IFS}' # Usage of the input field separator to avoid writing spaces
31            # B64 Encoded "python" with different offsets
32            - 'cHl0aG9u'
33            - 'B5dGhvb'
34            - 'weXRob2'
35    condition: selection
36falsepositives:
37    - Web vulnerability scanners
38level: high

References

Related rules

to-top