Description

This is a collection of SIEM detection rules in Elastic Security for web server logs based on the Sigma project. This rule collection checks about suspicious events to find common threats.

Elastic Security detection rules based on Sigma rules

Apache Segmentation Fault
Detects a segmentation fault error message caused by a creashing apache worker process

Apache Threading Error
Detects an issue in apache logs that reports threading related errors

Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server

Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers

Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts

Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt – URI contains Guacamole

CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report

SonicWall SSL/VPN Jarrewrite Exploit
Detects exploitation attempts of the SonicWall Jarrewrite Exploit

Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings

TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188

DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report

CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Webshell Detection by Keyword
Detects webshells that use GET requests by keyword searches in URL strings

Exchange PowerShell Snap-Ins Used by HAFNIUM
Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM

Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.

Source

These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.

The translation was made with SIEGMA