Yara Rule - POC 코드에 표시된대로 페이로드를 탐지하여 작업 공간 1 액세스 프리 마커 서버 측 템플릿 주입 CVE-202-2954

🧱 보안 정책/룰 관련
1

Yara Rule - POC 코드에 표시된대로 페이로드를 탐지하여 작업 공간 1 액세스 프리 마커 서버 측 템플릿 주입 CVE-202-2954

Yara 정의.

Yara Rule - Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954

Yara definition.

Author: Florian Roth

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

old_rule_name = "EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22"
date = "2022-04-08"
modified = "2023-04-28"
score = 70
$x1 = "66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28" ascii
$x2 = "${\"freemarker.template.utility.Execute\"?new()("
$x3 = "cat /etc/passwd\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute"
$x4 = "cat /etc/passwd\\\")).(#execute=#instancemanager.newInstance(\\\"freemarker.template.utility.Execute"
$x5 = "cat /etc/shadow\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute"
$x6 = "cat /etc/shadow\\\")).(#execute=#instancemanager.newInstance(\\\"freemarker.template.utility.Execute"
date = "2023-05-05"
modified = "2023-07-28"
score = 50
hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
$a1 = "\\ProcExpDriver.pdb" ascii```


[https://github.com/Neo23x0/signature-base/commit/b7069ffa330bb2eec0ff2a69acc65785a78984f6](https://github.com/Neo23x0/signature-base/commit/b7069ffa330bb2eec0ff2a69acc65785a78984f6)