Emerging Threathightest

Sitecore Pre-Auth RCE CVE-2021-42237

Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Wed Nov 17Updated Mon Jan 0220c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f2021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
        sc-status: 200
    condition: selection

False Positives

Vulnerability Scanning

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2021-42237detection.emerging-threats

Rule Metadata

Rule ID

20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f

Status

test

Level

high

Type

Emerging Threat

Created

Wed Nov 17

Modified

Mon Jan 02

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml

Raw Tags

attack.initial-accessattack.t1190cve.2021-42237detection.emerging-threats

View on GitHub