[Detect] Drupalgeddon - CVE-2018-7600

While Reveal(x)'s primary function is monitoring the East-West corridor for anomalous traffic, it’s by no means limited to the inside of the network. Monitoring the perimeter can also highlight interesting things happening - traffic that you would normally expect an IDS to detect can also trigger detections in Reveal(x). One good example is when an external bad actor attempts to breach DMZ websites running vulnerable versions of the Drupal content management system - vulnerable to CVE-2018-7600.

Usually, we expect to see two specific markers associated with this kind of attack - first reconnaissance of the targeted web server, usually with port scans or more effectively with Web Directory scans (which look like the first image below) and then when the scans successfully find drupal.js and other relevant artefacts on the server we secondly expect to see the actual Drupal CVE payload sent to the webserver.