SigmaHQ/rules/web/web_pulsesecure_cve_2019_11510.yml

title: Pulse Secure Attack CVE-2019-11510
id: 2dbc10d7-a797-49a8-8776-49efa6442e60
status: experimental
description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
author: Florian Roth
date: 2019/11/18
modified: 2020/09/03
references:
    - https://www.exploit-db.com/exploits/47297
logsource:
    category: webserver
detection:
    selection:
        c-uri: '*?/dana/html5acc/guacamole/*'
    condition: selection
fields:
    - client_ip
    - vhost
    - url
    - response
falsepositives:
    - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.t1190