Attack

The `rmcp` crate before v1.4.0 is vulnerable to DNS rebinding attacks via the Streamable HTTP server transport due to missing Host header validation, potentially allowing arbitrary code execution on a victim's machine if they visit a malicious website.

This rule correlates multiple security alerts associated with the same ATT&CK tactic on a single host within a defined time window, helping to identify hosts exhibiting concentrated malicious behavior indicative of an active intrusion or post-compromise activity, focusing on Credential Access, Defense Evasion, Execution, and Command and Control tactics.

A Metasploit module exploits Atlassian Confluence servers by deploying a malicious Java plugin that downloads Meterpreter, granting the attacker full control over the compromised system.