Exploitation of CVE-2021-26814 in Wazuh
Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
Sigma rule (View on GitHub)
1title: Exploitation of CVE-2021-26814 in Wazuh
2id: b9888738-29ed-4c54-96a4-f38c57b84bb3
3status: test
4description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
5references:
6 - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
7author: Florian Roth (Nextron Systems)
8date: 2021/05/22
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2021.21978
14 - cve.2021.26814
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-uri-query|contains: '/manager/files?path=etc/lists/../../../../..'
21 condition: selection
22fields:
23 - c-ip
24 - c-dns
25falsepositives:
26 - Unknown
27level: high
References
-
A simple python PoC to exploit CVE-2021-26814 and gain RCE on Wazuh Manager (v.4.0.0-4.0.3) through the API service. - WickdDavid/CVE-2021-26814
Read More
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt