CVE-2022-31659 VMware Workspace ONE Access RCE
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
Sigma rule (View on GitHub)
1title: CVE-2022-31659 VMware Workspace ONE Access RCE
2id: efdb2003-a922-48aa-8f37-8b80021a9706
3status: test
4description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
5references:
6 - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/12
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2022.31659
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-method: 'POST'
20 cs-uri-query|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker
21 condition: selection
22falsepositives:
23 - Vulnerability scanners
24 - Legitimate access to the URI
25level: medium
References
Related rules
- Apache Spark Shell Command Injection - Weblogs
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2021-41773 Exploitation Attempt
- CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
- Log4j RCE CVE-2021-44228 in Fields