Sitecore Pre-Auth RCE CVE-2021-42237
Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
Sigma rule (View on GitHub)
1title: Sitecore Pre-Auth RCE CVE-2021-42237
2id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f
3status: test
4description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
5references:
6 - https://blog.assetnote.io/2021/11/02/sitecore-rce/
7 - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
8author: Florian Roth (Nextron Systems)
9date: 2021-11-17
10modified: 2023-01-02
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - cve.2021-42237
15 - detection.emerging-threats
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-method: 'POST'
21 cs-uri-query|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
22 sc-status: 200
23 condition: selection
24falsepositives:
25 - Vulnerability Scanning
26level: high
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt