Emerging Threatcriticaltest

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Sittikorn S, Nuttakorn TungpoonsupCreated Fri Sep 10Updated Mon Jan 02fcbb4a77-f368-4945-b046-4499a1da69d12021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Definition

Must be collect log from \ManageEngine\ADSelfService Plus\logs

Detection Logic

detection:
    selection:
        cs-uri-query|contains:
            - '/help/admin-guide/Reports/ReportGenerate.jsp'
            - '/RestAPI/LogonCustomization'
            - '/RestAPI/Connection'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access TA0003 · Persistence

Techniques

T1190 · Exploit Public-Facing Application

Sub-techniques

T1505.003 · Web Shell

Other

cve.2021-40539detection.emerging-threats

Rule Metadata

Rule ID

fcbb4a77-f368-4945-b046-4499a1da69d1

Status

test

Level

critical

Type

Emerging Threat

Created

Fri Sep 10

Modified

Mon Jan 02

Author

Sittikorn S, Nuttakorn Tungpoonsup

Path

rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml

Raw Tags

attack.initial-accessattack.t1190attack.persistenceattack.t1505.003cve.2021-40539detection.emerging-threats

View on GitHub