Pulse Connect Secure RCE Attack CVE-2021-22893

 1title: Pulse Connect Secure RCE Attack CVE-2021-22893
 2id: 5525edac-f599-4bfd-b926-3fa69860e766
 3status: stable
 4description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
 7    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
 8author: Sittikorn S
 9date: 2021-06-29
10modified: 2023-01-02
11tags:
12    - attack.initial-access
13    - attack.t1190
14    - cve.2021-22893
15    - detection.emerging-threats
16logsource:
17    category: webserver
18detection:
19    selection1:
20        cs-uri-query|contains:
21            - '/dana-na/auth/'
22            - '/dana-ws/'
23            - '/dana-cached/'
24    selection2:
25        cs-uri-query|contains:
26            - '?id='
27            - '?token='
28            - 'Secid_canceltoken.cgi'
29            - 'CGI::param'
30            - 'meeting'
31            - 'smb'
32            - 'namedusers'
33            - 'metric'
34    condition: all of selection*
35falsepositives:
36    - Vulnerability Scanning
37level: high

References

• Authentication Bypass Techniques and Pulse Secure Zero-Day | Google Cloud Blog

  

  We examine multiple techniques for bypassing single & multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells.

  
  Read More

• Ivanti Community

  Loading ×Sorry to interrupt CSS Error Refresh

  
  Read More

Related rules

• ADSelfService Exploitation
• Apache Spark Shell Command Injection - Weblogs
• Arcadyan Router Exploitations
• Atlassian Bitbucket Command Injection Via Archive API
• CVE-2010-5278 Exploitation Attempt