From a6a3f6b3924f0035365db54a9aa02c1256f5be5b Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Fri, 10 Sep 2021 10:31:11 +0700
Subject: [PATCH 1/2] Create
 web_cve_2021_40539_manageengine_adselfservice_exploit.yml

---
 ...539_manageengine_adselfservice_exploit.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml

diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
new file mode 100644
index 000000000..1f049dbf4
--- /dev/null
+++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
@@ -0,0 +1,27 @@
+title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
+id: fcbb4a77-f368-4945-b046-4499a1da69d1
+status: experimental
+description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
+references:
+    - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
+    - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
+author: Sittikorn S, Nuttakorn L
+date: 2021/09/10
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+    definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
+detection:
+    selection:
+        c-uri|contains:
+            - '/RestAPI/LogonCustomization'
+            - '/RestAPI/Connection'
+    condition: selection
+fields:
+    - c-ip
+    - c-uri
+falsepositives:
+    - External Pentesting
+level: critical

From 0806e4ccd28271f628e5579965be1ec6dffbf5ff Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Fri, 10 Sep 2021 11:30:51 +0700
Subject: [PATCH 2/2] Update
 web_cve_2021_40539_manageengine_adselfservice_exploit.yml

---
 .../web_cve_2021_40539_manageengine_adselfservice_exploit.yml    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
index 1f049dbf4..a0ff44c94 100644
--- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
+++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml
@@ -11,6 +11,7 @@ tags:
     - attack.initial_access
     - attack.t1190
 logsource:
+    product: zoho_manageengine
     category: webserver
     definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
 detection: