Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
Sigma rule (View on GitHub)
1title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
2id: 5660d8db-6e25-411f-b92f-094420168a5d
3status: test
4description: |
5 Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
6 As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
7references:
8 - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
9 - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
10author: '@kostastsale'
11date: 2022-04-25
12tags:
13 - attack.execution
14 - attack.initial-access
15 - attack.t1059.006
16 - attack.t1190
17 - cve.2022-22954
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_parent:
24 ParentImage|endswith: '\prunsrv.exe'
25 selection_payload_pwsh:
26 Image|endswith: '\powershell.exe'
27 selection_payload_cmd:
28 Image|endswith: '\cmd.exe'
29 CommandLine|contains: '/c powershell'
30 condition: selection_parent and 1 of selection_payload_*
31falsepositives:
32 - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
33level: medium
References
-
Morphisec Labs has discovered a new VMWare identity manager attack that delivers a sophisticated backdoor previously used by advanced cybercriminals.
Read More -
PoC for CVE-2022-22954 - VMware Workspace ONE Access Freemarker Server-Side Template Injection - DrorDvash/CVE-2022-22954_VMware_PoC
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- DNS RCE CVE-2020-1350
- Exploited CVE-2020-10189 Zoho ManageEngine
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt