Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatmediumtest

CVE-2022-31659 VMware Workspace ONE Access RCE

Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 12Updated Mon Jan 02efdb2003-a922-48aa-8f37-8b80021a97062022
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker
    condition: selection
False Positives

Vulnerability scanners

Legitimate access to the URI

References
1
Resolving title…
petrusviet.medium.com
MITRE ATT&CK

Other

cve.2022-31659detection.emerging-threats
Rule Metadata
Rule ID
efdb2003-a922-48aa-8f37-8b80021a9706
Status
test
Level
medium
Type
Emerging Threat
Created
Fri Aug 12
Modified
Mon Jan 02
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml
Raw Tags
attack.initial-accessattack.t1190cve.2022-31659detection.emerging-threats
View on GitHub