Emerging Threathightest

CVE-2022-31656 VMware Workspace ONE Access Auth Bypass

Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 12Updated Mon Jan 02fcf1101d-07c9-49b2-ad81-7e421ff96d802022

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-uri-query|contains: '/SAAS/t/_/;/'
    condition: selection

False Positives

Vulnerability scanners

References

Resolving title…

petrusviet.medium.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2022-31656detection.emerging-threats

Rule Metadata

Rule ID

fcf1101d-07c9-49b2-ad81-7e421ff96d80

Status

test

Level

high

Type

Emerging Threat

Created

Fri Aug 12

Modified

Mon Jan 02

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml

Raw Tags

attack.initial-accessattack.t1190cve.2022-31656detection.emerging-threats

View on GitHub