From e1dff01cea1792bc9a578ec9ae2a708daed2324e Mon Sep 17 00:00:00 2001
From: Bhabesh Rai <brs@logpoint.com>
Date: Wed, 24 Feb 2021 23:48:08 +0545
Subject: [PATCH] Added sigma rule for vSphere RCE CVE-2021-21972

---
 ...here_cve_2021_21972_unauth_rce_exploit.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml

diff --git a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
new file mode 100644
index 000000000..9f9525977
--- /dev/null
+++ b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml
@@ -0,0 +1,27 @@
+title: CVE-2021-21972 VSphere Exploitation 
+id: 179ed852-0f9b-4009-93a7-68475910fd86
+status: experimental
+description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
+author: Bhabesh Raj
+date: 2021/02/24
+references:
+    - https://www.vmware.com/security/advisories/VMSA-2021-0002.html
+    - https://f5.pm/go-59627.html
+    - https://swarm.ptsecurity.com/unauth-rce-vmware
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri:
+            - '/ui/vropspluginui/rest/services/uploadova'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.initial_access
+    - attack.t1190