SigmaHQ/rules/web/web_cve_2021_40539_adselfservice.yml
2021-09-20 15:51:21 +02:00

21 lines
688 B
YAML

title: ADSelfService Exploitation
id: 6702b13c-e421-44cc-ab33-42cc25570f11
status: experimental
description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
author: Tobias Michalski, Max Altgelt
references:
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
date: 2021/09/20
logsource:
category: webserver
detection:
selection:
c-uri|contains:
- '/help/admin-guide/Reports/ReportGenerate.jsp'
- '/ServletApi/../RestApi/LogonCustomization'
- '/ServletApi/../RestAPI/Connection'
condition: selection
falsepositives:
- Unknown
level: high