ADSelfService Exploitation
Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
Sigma rule (View on GitHub)
1title: ADSelfService Exploitation
2id: 6702b13c-e421-44cc-ab33-42cc25570f11
3status: test
4description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
5references:
6 - https://us-cert.cisa.gov/ncas/alerts/aa21-259a
7author: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)
8date: 2021/09/20
9modified: 2023/01/02
10tags:
11 - cve.2021.40539
12 - detection.emerging_threats
13 - attack.initial_access
14 - attack.t1190
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-uri-query|contains:
20 - '/help/admin-guide/Reports/ReportGenerate.jsp'
21 - '/ServletApi/../RestApi/LogonCustomization'
22 - '/ServletApi/../RestAPI/Connection'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Summary This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for referenced threat a...
Read More
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass