497.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid: 497

-- 
Summary: 
This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files.

-- 
Impact: 
Serious. An attacker may have the ability to transfer files from the victim host.

-- 
Detailed Information: 
This event indicates that a file was successfully copied using Windows command line shell.  The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. 

Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker.

--

Attack Scenarios: 
An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system.

-- 

Ease of Attack: 
Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system.

-- 

False Positives: 
None Known

--
False Negatives: 
None Known

-- 

Corrective Action: 
Investigate the web server for other signs of compromise

Look for other events generated by the same IP addresses.

--
Contributors:
Original rule writer unknown
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

--