Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_parent:
ParentImage|endswith: '\prunsrv.exe'
selection_payload_pwsh:
Image|endswith: '\powershell.exe'
selection_payload_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: '/c powershell'
condition: selection_parent and 1 of selection_payload_*Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
Sub-techniques
Other