Sneed-Reactivity/yara-Neo23x0/expl_adselfservice_cve_2021_40539.yar


rule LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21 : LOG {
   meta:
      description = "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://us-cert.cisa.gov/ncas/alerts/aa21-259a"
      date = "2021-09-20"
      score = 70
      id = "156317c6-e726-506d-8b07-4f74dae2807f"
   strings:
      $x1 = "Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig" ascii wide
   condition:
      filesize < 50MB and 1 of them
}

rule LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1 : LOG {
   meta:
      description = "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://us-cert.cisa.gov/ncas/alerts/aa21-259a"
      date = "2021-09-20"
      score = 60
      id = "015957a6-8778-5836-af94-6e6d3838f693"
   strings:
      $x1 = "/ServletApi/../RestApi/LogonCustomization" ascii wide
      $x2 = "/ServletApi/../RestAPI/Connection" ascii wide
   condition:
      filesize < 50MB and 1 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule LOG_EXPL_ADSelfService_CVE_2021_40539_ADSLOG_Sep21 : LOG {`
			`meta:`
			`description = "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://us-cert.cisa.gov/ncas/alerts/aa21-259a"`
			`date = "2021-09-20"`
			`score = 70`
			`id = "156317c6-e726-506d-8b07-4f74dae2807f"`
			`strings:`
			`$x1 = "Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig" ascii wide`
			`condition:`
			`filesize < 50MB and 1 of them`
			`}`

			`rule LOG_EXPL_ADSelfService_CVE_2021_40539_WebLog_Sep21_1 : LOG {`
			`meta:`
			`description = "Detects suspicious log lines produeced during the exploitation of ADSelfService vulnerability CVE-2021-40539"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://us-cert.cisa.gov/ncas/alerts/aa21-259a"`
			`date = "2021-09-20"`
			`score = 60`
			`id = "015957a6-8778-5836-af94-6e6d3838f693"`
			`strings:`
			`$x1 = "/ServletApi/../RestApi/LogonCustomization" ascii wide`
			`$x2 = "/ServletApi/../RestAPI/Connection" ascii wide`
			`condition:`
			`filesize < 50MB and 1 of them`
			`}`