ADSelfService Exploitation

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Sigma rule (View on GitHub)

 1title: ADSelfService Exploitation
 2id: 6702b13c-e421-44cc-ab33-42cc25570f11
 3status: test
 4description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
 5references:
 6    - https://us-cert.cisa.gov/ncas/alerts/aa21-259a
 7author: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)
 8date: 2021-09-20
 9modified: 2023-01-02
10tags:
11    - cve.2021-40539
12    - detection.emerging-threats
13    - attack.initial-access
14    - attack.t1190
15logsource:
16    category: webserver
17detection:
18    selection:
19        cs-uri-query|contains:
20            - '/help/admin-guide/Reports/ReportGenerate.jsp'
21            - '/ServletApi/../RestApi/LogonCustomization'
22            - '/ServletApi/../RestAPI/Connection'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top