Hub configuration

More info

vmware-cve-2022-22954 Scenario

« vmware-cve-2022-22954 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:vmwarespoofable:0MITRE:T1190MITRE:T1595confidence:3

Detect Vmware CVE-2022-22954 exploitation attempts

Installation

cscli scenarios install crowdsecurity/vmware-cve-2022-22954

Description

Detect exploitation of Vmware CVE-2022-22954

Ref: https://www.vmware.com/security/advisories/VMSA-2022-0011.html Poc: https://github.com/sherlocksecurity/VMware-CVE-2022-22954

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/vmware-cve-2022-22954
4description: "Detect Vmware CVE-2022-22954 exploitation attempts"
5filter: |
6  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Upper(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()(')
7groupby: "evt.Meta.source_ip"
8blackhole: 2m
9labels:
10  confidence: 3
11  spoofable: 0
12  classification:
13    - attack.T1190
14    - attack.T1595
15    - cve.CVE-2022-22954
16  behavior: "vm-management:exploit"
17  label: "VMWARE CVE-2022-22954"
18  remediation: true
19  service: vmware
20

Hub configuration

« vmware-cve-2022-22954 »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:vmwareCVE-2022-22954spoofable:0MITRE:T1190MITRE:T1595confidence:3

« vmware-cve-2022-22954 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:vmwarespoofable:0MITRE:T1190MITRE:T1595confidence:3