Merge pull request #2010 from BlackB0lt/patch-16

Create web_cve_2021_40539_manageengine_adselfservice_exploit.yml

rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml

@@ -0,0 +1,28 @@
+title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
+id: fcbb4a77-f368-4945-b046-4499a1da69d1
+status: experimental
+description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
+references:
+    - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
+    - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
+author: Sittikorn S, Nuttakorn L
+date: 2021/09/10
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    product: zoho_manageengine
+    category: webserver
+    definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
+detection:
+    selection:
+        c-uri|contains:
+            - '/RestAPI/LogonCustomization'
+            - '/RestAPI/Connection'
+    condition: selection
+fields:
+    - c-ip
+    - c-uri
+falsepositives:
+    - External Pentesting
+level: critical