valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update web_fortinet_cve_2021_22123_exploit.yml

Browse Source
This commit is contained in:
Florian Roth 2021-08-19 08:27:15 +02:00 committed by GitHub
parent 8d9f2e059a
commit 0c6db48ceb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rules/web/web_fortinet_cve_2021_22123_exploit.yml
View File

@ -1,10 +1,11 @@
title: Fortinet CVE-2021-22123 Exploitation title: Fortinet CVE-2021-22123 Exploitation
description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
id: f425637f-891c-4191-a6c4-3bb1b70513b4 id: f425637f-891c-4191-a6c4-3bb1b70513b4
status: experimental
references: references:
- https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
author: Bhabesh Raj author: Bhabesh Raj, Florian Roth
date: 2021/08/18 date: 2021/08/19
tags: tags:
- attack.initial_access - attack.initial_access
- attack.t1190 - attack.t1190
@ -16,11 +17,12 @@ detection:
- '/api/v2.0/user/remoteserver.saml' - '/api/v2.0/user/remoteserver.saml'
cs-method: cs-method:
- POST - POST
content-type|startswith: filter1:
- 'multipart/form-data;' cs-referer|contains: '/root/user/remote-user/saml-user/'
content-disposition|contains: filter2:
- '`' cs-referer:
condition: selection - null
condition: selection and not filter1 and not filter2
fields: fields:
- client_ip - client_ip
- url - url