vmware-vcenter-vmsa-2021-0027 Configuration

« vmware-vcenter-vmsa-2021-0027 »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:vmwarespoofable:0MITRE:T1190MITRE:T1595confidence:3

Detect VMSA-2021-0027 exploitation attemps

Installation

cscli scenarios install crowdsecurity/vmware-vcenter-vmsa-2021-0027

Description

Detect exploitation of VMSA-2021-0027

Ref: https://www.vmware.com/security/advisories/VMSA-2021-0027.html

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/vmware-vcenter-vmsa-2021-0027
4description: "Detect VMSA-2021-0027 exploitation attemps"
5filter: |
6  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Meta.http_path matches '/ui/vcav-bootstrap/rest/vcav-providers/provider-logo\\?url=(file|http)'
7groupby: "evt.Meta.source_ip"
8blackhole: 2m
9labels:
10  confidence: 3
11  spoofable: 0
12  classification:
13    - attack.T1190
14    - attack.T1595
15    - cve.CVE-2021-0027
16  behavior: "vm-management:exploit"
17  label: "VMWARE VCenter VMSA CVE-2021-0027"
18  remediation: true
19  service: vmware
20

Hub configuration

« vmware-vcenter-vmsa-2021-0027 »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:vmwareCVE-2021-0027spoofable:0MITRE:T1190MITRE:T1595confidence:3

« vmware-vcenter-vmsa-2021-0027 »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:vmwarespoofable:0MITRE:T1190MITRE:T1595confidence:3