CVE-2021-21972 VSphere Exploitation

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Sigma rule (View on GitHub)

 1title: CVE-2021-21972 VSphere Exploitation
 2id: 179ed852-0f9b-4009-93a7-68475910fd86
 3status: test
 4description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
 5references:
 6    - https://www.vmware.com/security/advisories/VMSA-2021-0002.html
 7    - https://f5.pm/go-59627.html
 8    - https://swarm.ptsecurity.com/unauth-rce-vmware
 9author: Bhabesh Raj
10date: 2021-02-24
11modified: 2023-01-02
12tags:
13    - attack.initial-access
14    - attack.t1190
15    - cve.2021-21972
16    - detection.emerging-threats
17logsource:
18    category: webserver
19detection:
20    selection:
21        cs-method: 'POST'
22        cs-uri-query: '/ui/vropspluginui/rest/services/uploadova'
23    condition: selection
24falsepositives:
25    - OVA uploads to your VSphere appliance
26level: high

References

Related rules

to-top