SigmaHQ/rules/web/web_cve_2021_26814_wzuh_rce.yml

title: Exploitation of CVE-2021-26814 in Wazuh
id: b9888738-29ed-4c54-96a4-f38c57b84bb3
status: experimental
description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
author: Florian Roth
date: 2021/05/22
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
    - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
    - https://nvd.nist.gov/vuln/detail/cve-2021-21978
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: '/manager/files?path=etc/lists/../../../../..'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - None
level: high
tags:
    - attack.initial_access
    - attack.t1190
Create web_cve_2021_26814_wzuh_rce.yml 2021-05-22 13:45:38 +00:00			`title: Exploitation of CVE-2021-26814 in Wazuh`
			`id: b9888738-29ed-4c54-96a4-f38c57b84bb3`
			`status: experimental`
			`description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814`
			`author: Florian Roth`
			`date: 2021/05/22`
			`references:`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814`
			`- https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py`
$frack113$ fix cve tags 2021-08-24 08:10:45 +00:00			`- https://nvd.nist.gov/vuln/detail/cve-2021-21978`
Create web_cve_2021_26814_wzuh_rce.yml 2021-05-22 13:45:38 +00:00			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
			`c-uri\|contains: '/manager/files?path=etc/lists/../../../../..'`
			`condition: selection`
			`fields:`
			`- c-ip`
			`- c-dns`
			`falsepositives:`
			`- None`
			`level: high`
			`tags:`
			`- attack.initial_access`
			`- attack.t1190`