Emerging Threathightest
Potential CVE-2022-46169 Exploitation Attempt
Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Dec 27Updated Mon Jan 02738cb115-881f-4df3-82cc-56ab02fc51922022
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Detection Logic
Detection Logic1 selector
detection:
selection:
# Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)
# Check for previous requests indicating the bruteforce of the "local_data_ids" and "host_id"
cs-method: 'GET'
cs-uri-query|contains|all:
- '/remote_agent.php'
- 'action=polldata'
- 'poller_id='
cs-uri-query|contains:
# From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288
# Not tested could be shown in other format (update if you have more info)
- '| base64 -d | /bin/bash`'
- '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version
# Add more suspicious commands accordingly
- '`whoami'
- 'powershell'
- 'cmd'
- 'wget'
condition: selectionFalse Positives
Web vulnerability scanners
MITRE ATT&CK
Tactics
Other
cve.2022-46169detection.emerging-threats
Rule Metadata
Rule ID
738cb115-881f-4df3-82cc-56ab02fc5192
Status
test
Level
high
Type
Emerging Threat
Created
Tue Dec 27
Modified
Mon Jan 02
Path
rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml
Raw Tags
attack.initial-accessattack.t1190cve.2022-46169detection.emerging-threats