Home/CVE-2020-5902/YARA rules
YARA

YARA rules for CVE-2020-5902

1 rules · scoped to cve · back to CVE-2020-5902
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct Payload
MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1
Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1 {
   meta:
      description = "Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/"
      date = "2020-06-07"
      score = 75
      id = "57705ba1-c0ad-5ca6-8539-44d9da6b5942"
   strings:
      $x1 = "rm -f /etc/ld.so.preload" ascii fullword
      $x2 = "echo \"* * * * * $LDR" ascii
      $x3 = ".sh -o /tmp/in.sh" ascii
      $x4 = "chmod a+x /etc/.modules/.tmp" ascii
      $x5 = "chmod +x /var/log/F5-logcheck"

      $s1 = "ulimit -n 65535" ascii fullword
      $s2 = "-s /usr/bin/wget " ascii
      $s3 = ".sh | sh" ascii
   condition:
      filesize < 300KB and
      ( 1 of ($x*) or 3 of them )
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin