diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml new file mode 100644 index 000000000..a44c1f044 --- /dev/null +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml @@ -0,0 +1,28 @@ +title: Cisco ASA Exploitation Activity - Proxy +id: 15697955-6a29-47ca-92e9-0e05efae3260 +status: experimental +description: | + Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation. +references: + - https://x.com/defusedcyber/status/1971492272966598683 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-20 +tags: + - attack.initial-access + - attack.t1190 + - cve.2025-20333 + - cve.2025-20362 + - detection.emerging-threats +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + cs-uri-stem: + - '/+CSCOU+/MacTunnelStart.jar' + - '/+CSCOL+/csvrloader64.cab' + - '/+CSCOL+/csvrloader.jar' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/tests/logsource.json b/tests/logsource.json index befdcb3a4..a8cdb17db 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -152,7 +152,7 @@ "empty": ["not_found"], "category":{ "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie", - "cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", + "cs-host", "cs-method", "cs-uri-stem", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", "cs-uri"], "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",