detection.wiki

Detection rules › Sigma

CVE-2020-10148 SolarWinds Orion API Auth Bypass

Status
test
Severity
critical
Log source
category webserver
Author
Bhabesh Raj, Tim Shelton
Source
github.com/SigmaHQ/sigma

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1190 Exploit Public-Facing Application

Rule body yaml

title: CVE-2020-10148 SolarWinds Orion API Auth Bypass
id: 5a35116f-43bc-4901-b62d-ef131f42a9af
status: test
description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
references:
    - https://kb.cert.org/vuls/id/843464
author: Bhabesh Raj, Tim Shelton
date: 2020-12-27
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2020-10148
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/WebResource.axd'
            - '/ScriptResource.axd'
            - '/i18n.ashx'
            - '/Skipi18n'
    selection2:
        cs-uri-query|contains:
            - '/SolarWinds/'
            - '/api/'
    valid_request_1:
        cs-uri-query|contains: 'Orion/Skipi18n/Profiler/'
    valid_request_2:
        cs-uri-query|contains:
            - 'css.i18n.ashx'
            - 'js.i18n.ashx'
    condition: all of selection* and not 1 of valid_request_*
falsepositives:
    - Unknown
level: critical

Stages and Predicates

Stage 0: condition

all of selection* and not 1 of valid_request_*

Stage 1: selection

selection:
    cs-uri-query|contains:
        - '/WebResource.axd'
        - '/ScriptResource.axd'
        - '/i18n.ashx'
        - '/Skipi18n'

Stage 2: selection2

selection2:
    cs-uri-query|contains:
        - '/SolarWinds/'
        - '/api/'

Stage 3: not valid_request_*

valid_request_1:
    cs-uri-query|contains: 'Orion/Skipi18n/Profiler/'
valid_request_2:
    cs-uri-query|contains:
        - 'css.i18n.ashx'
        - 'js.i18n.ashx'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
cs-uri-querymatchOrion/Skipi18n/Profiler/
cs-uri-querymatchcss.i18n.ashx
cs-uri-querymatchjs.i18n.ashx

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
cs-uri-querymatch
  • /ScriptResource.axd
  • /Skipi18n
  • /SolarWinds/
  • /WebResource.axd
  • /api/
  • /i18n.ashx