Sitecore Pre-Auth RCE CVE-2021-42237

Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx

Sigma rule (View on GitHub)

 1title: Sitecore Pre-Auth RCE CVE-2021-42237
 2id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f
 3status: test
 4description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
 5references:
 6    - https://blog.assetnote.io/2021/11/02/sitecore-rce/
 7    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
 8author: Florian Roth (Nextron Systems)
 9date: 2021-11-17
10modified: 2023-01-02
11tags:
12    - attack.initial-access
13    - attack.t1190
14    - cve.2021-42237
15    - detection.emerging-threats
16logsource:
17    category: webserver
18detection:
19    selection:
20        cs-method: 'POST'
21        cs-uri-query|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
22        sc-status: 200
23    condition: selection
24falsepositives:
25    - Vulnerability Scanning
26level: high

References

Related rules

to-top