Pulse Connect Secure RCE Attack CVE-2021-22893
This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
Sigma rule (View on GitHub)
1title: Pulse Connect Secure RCE Attack CVE-2021-22893
2id: 5525edac-f599-4bfd-b926-3fa69860e766
3status: stable
4description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
5references:
6 - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
7 - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
8author: Sittikorn S
9date: 2021/06/29
10modified: 2023/01/02
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - cve.2021.22893
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection1:
20 cs-uri-query|contains:
21 - '/dana-na/auth/'
22 - '/dana-ws/'
23 - '/dana-cached/'
24 selection2:
25 cs-uri-query|contains:
26 - '?id='
27 - '?token='
28 - 'Secid_canceltoken.cgi'
29 - 'CGI::param'
30 - 'meeting'
31 - 'smb'
32 - 'namedusers'
33 - 'metric'
34 condition: all of selection*
35falsepositives:
36 - Vulnerability Scanning
37level: high
References
-
We examine multiple techniques for bypassing single & multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells.
Read More -
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt