valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update web_cve_2021_40539_adselfservice.yml

Browse Source
This commit is contained in:
Florian Roth 2021-09-20 13:07:31 +02:00 committed by GitHub
parent 2b843e58ee
commit 56069a2196
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
rules/web/web_cve_2021_40539_adselfservice.yml
View File

@ -1,21 +1,20 @@
title: Detects ADSelfService exploitation
id: 6702b13c-e421-44cc-ab33-42cc25570f11
status: experimental
description: Detects various logs that occur on explatiation of ADSelfService cve_2021_40539
description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
author: Tobias Michalski, Max Altgelt
references:
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
date: 2021/09/20
logsource:
category: logfile
category: webserver
detection:
keywords:
- '/help/admin-guide/Reports/ReportGenerate.jsp'
- '/ServletApi/../RestApi/LogonCustomization'
- '/ServletApi/../RestAPI/Connection'
- 'Keystore will be created for "admin"'
- 'The status of keystore creation is Upload!'
condition: keywords
selection:
c-uri|contains:
- '/help/admin-guide/Reports/ReportGenerate.jsp'
- '/ServletApi/../RestApi/LogonCustomization'
- '/ServletApi/../RestAPI/Connection'
condition: selection
falsepositives:
- Unknown, Maybe initial installation of ADSelfService
level: low
- Unknown
level: high