Added sigma rule for vSphere RCE CVE-2021-21972

rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml

@@ -0,0 +1,27 @@
+title: CVE-2021-21972 VSphere Exploitation 
+id: 179ed852-0f9b-4009-93a7-68475910fd86
+status: experimental
+description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
+author: Bhabesh Raj
+date: 2021/02/24
+references:
+    - https://www.vmware.com/security/advisories/VMSA-2021-0002.html
+    - https://f5.pm/go-59627.html
+    - https://swarm.ptsecurity.com/unauth-rce-vmware
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri:
+            - '/ui/vropspluginui/rest/services/uploadova'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.initial_access
+    - attack.t1190