Yara Rule - 게시 된 Python POC와 함께 Microsoft SharePoint 서버에서 CVE-203-29357의 성공적인 활용을 나타낼 수있는 로그 항목을 감지

Yara Rule - 게시 된 Python POC와 함께 Microsoft SharePoint 서버에서 CVE-203-29357의 성공적인 활용을 나타낼 수있는 로그 항목을 감지

Yara 정의.

Yara Rule - Detects log entries that could indicate a successful exploitation of CVE-2023-29357 on Microsoft SharePoint servers with the published Python POC

Yara definition.

Author: Florian Roth (with help from @LuemmelSec)

https://twitter.com/Gi7w0rm/status/1706764212704591953?s

date = "2023-09-28"
modified = "2023-09-29"
score = 70
https://x.com/TH3C0DEX/status/1707503935596925048?s=20
https://x.com/theluemmel/status/1707653715627311360?s=20 (plus private chat)
$xr1 = /GET \/_vti_bin\/client\.svc\/web\/(siteusers|currentuser) - (80|443) .{10,200} python-requests\/[0-9\.]{3,8} - [^4]/```


[https://github.com/Neo23x0/signature-base/commit/cbcadf2ccdfc0532b535885d44e24842c00cd421](https://github.com/Neo23x0/signature-base/commit/cbcadf2ccdfc0532b535885d44e24842c00cd421)