security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/web/web_fortinet_cve_2021_22123_exploit.yml
T
Florian Roth 51a4315ab9 fix: referrer > referer adjustments
2021-12-13 15:47:43 +01:00

31 lines
818 B
YAML
Raw Blame History

title: Fortinet CVE-2021-22123 Exploitation
description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
id: f425637f-891c-4191-a6c4-3bb1b70513b4
status: experimental
references:
- https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
author: Bhabesh Raj, Florian Roth
date: 2021/08/19
modified: 2021/11/23
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/api/v2.0/user/remoteserver.saml'
cs-method: POST
filter1:
cs-referer|contains: '/root/user/remote-user/saml-user/'
filter2:
cs-referer: null
condition: selection and not filter1 and not filter2
fields:
- c-ip
- url
- response
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink