type: trigger
format: 2.0
name: crowdsecurity/CVE-2019-18935
description: "Detect Telerik CVE-2019-18935 exploitation attempts"
filter: |
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Upper(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/Telerik.Web.UI.WebResource.axd?type=rau')
groupby: "evt.Meta.source_ip"
blackhole: 2m
labels:
  type: exploit
  remediation: true
  classification:
    - attack.T1595
    - attack.T1190
    - cve.CVE-2019-18935
  spoofable: 0
  confidence: 3
  behavior: "http:exploit"
  label: "Telerik CVE-2019-18935"
  service: telerik