From e098fc73cb2fb18c723fd9727e116e9dc9bcb22e Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Tue, 17 Aug 2021 06:24:04 +0200
Subject: [PATCH] add keywords condition

---
 rules/web/web_cve_2021_26858_iis_rce.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml
index d630eafed..12b981800 100644
--- a/rules/web/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/web_cve_2021_26858_iis_rce.yml
@@ -19,7 +19,14 @@ detection:
             - 'schema=Reset'
             - 'VirtualDirectory'
         cs-username|endswith: '$'
-    condition: selection
+    keywords:
+        - 'POST'
+        - '200'
+        - '/ecp/DDI/DDIService.svc/SetObject'
+        - 'schema=Reset'
+        - 'VirtualDirectory'
+        - '$'    
+    condition: selection or all of keywords
 falsepositives:
     - Unlikely
 level: critical