Added rule for TerraMaster TOS CVE-2020-28188

rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml

@@ -0,0 +1,38 @@
+title: TerraMaster TOS CVE-2020-28188
+id: 15c312b9-00d0-4feb-8870-7d940a4bdc5e
+status: experimental
+description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
+author: Bhabesh Raj
+date: 2021/01/25
+references:
+    - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-28188
+    - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
+logsource:
+    category: webserver
+detection:
+    base_url:
+        cs-method: 'GET'
+        c-uri|contains|all:
+            - '/include/makecvs.php'
+            - '?Event='
+    payload:
+        c-uri|contains:
+            - 'curl'
+            - 'wget'
+            - '.py'
+            - '.sh'
+            - '.php'
+            - 'chmod'
+            - '_GET'
+    condition: base_url and payload
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.t1190
+    - attack.initial_access
+    - cve.2020-28188