security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c0c29f45f554d65d30a1dfbf8fd9cb77c192546
blue-team-tools/rules/web/web_cve_2020_10148_solarwinds_exploit.yml
T
frack113 41c850e00b Use W3C cs-uri-query
2023-01-02 18:45:50 +01:00

36 lines
984 B
YAML
Raw Blame History

title: CVE-2020-10148 SolarWinds Orion API Auth Bypass
id: 5a35116f-43bc-4901-b62d-ef131f42a9af
status: test
description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
references:
- https://kb.cert.org/vuls/id/843464
author: Bhabesh Raj, Tim Shelton
date: 2020/12/27
modified: 2023/01/02
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '/WebResource.axd'
- '/ScriptResource.axd'
- '/i18n.ashx'
- '/Skipi18n'
selection2:
cs-uri-query|contains:
- '/SolarWinds/'
- '/api/'
valid_request_1:
cs-uri-query|contains: 'Orion/Skipi18n/Profiler/'
valid_request_2:
cs-uri-query|contains:
- 'css.i18n.ashx'
- 'js.i18n.ashx'
condition: all of selection* and not 1 of valid_request_*
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink