valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update web_fortinet_cve_2021_22123_exploit.yml

Browse Source
This commit is contained in:
Florian Roth 2021-08-19 08:27:15 +02:00 committed by GitHub
parent 8d9f2e059a
commit 0c6db48ceb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rules/web/web_fortinet_cve_2021_22123_exploit.yml
View File

@ -1,10 +1,11 @@
title: Fortinet CVE-2021-22123 Exploitation
description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
id: f425637f-891c-4191-a6c4-3bb1b70513b4
status: experimental
references:
- https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
author: Bhabesh Raj
date: 2021/08/18
author: Bhabesh Raj, Florian Roth
date: 2021/08/19
tags:
- attack.initial_access
- attack.t1190
@ -16,11 +17,12 @@ detection:
- '/api/v2.0/user/remoteserver.saml'
cs-method:
- POST
content-type|startswith:
- 'multipart/form-data;'
content-disposition|contains:
- '`'
condition: selection
filter1:
cs-referer|contains: '/root/user/remote-user/saml-user/'
filter2:
cs-referer:
- null
condition: selection and not filter1 and not filter2
fields:
- client_ip
- url