From ce43b1da5c070a1d81005c926cdfc8a1db0ba67b Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 12 Aug 2022 18:50:08 +0100
Subject: [PATCH] Create web_cve_2022_31659_vmware_rce.yml

---
 rules/web/web_cve_2022_31659_vmware_rce.yml | 22 +++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/web/web_cve_2022_31659_vmware_rce.yml

diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml
new file mode 100644
index 000000000..5d9fd9897
--- /dev/null
+++ b/rules/web/web_cve_2022_31659_vmware_rce.yml
@@ -0,0 +1,22 @@
+title: CVE-2022-31659 VMware Workspace ONE Access RCE
+id: efdb2003-a922-48aa-8f37-8b80021a9706
+status: experimental
+description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
+author: Nasreddine Bencherchali
+date: 2022/08/12
+references:
+    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to look spot the difference between benign and malicious requests to this URL
+    condition: selection
+falsepositives:
+    - Vulnerability scanners
+    - Legitimate access to the URI
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190