Home/CVE-2022-2295/YARA rules
YARA

YARA rules for CVE-2022-2295

2 rules · scoped to cve · back to CVE-2022-2295
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.

YARA rules

2 of 2
direct POC
SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_1
Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954
author Florian Roth license see source repo
view YARA rule 
rule SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_1 {
   meta:
      old_rule_name = "EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22"
      description = "Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954"
      author = "Florian Roth"
      reference = "https://github.com/sherlocksecurity/VMware-CVE-2022-22954"
      reference2 = "https://twitter.com/rwincey/status/1512241638994853891/photo/1"
      date = "2022-04-08"
      modified = "2025-03-29"
      score = 60
   strings:
      $x2 = "${\"freemarker.template.utility.Execute\"?new()("
      $x3 = "cat /etc/passwd\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute"
      $x4 = "cat /etc/passwd\\\")).(#execute=#instancemanager.newInstance(\\\"freemarker.template.utility.Execute"
      $x5 = "cat /etc/shadow\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute"
      $x6 = "cat /etc/shadow\\\")).(#execute=#instancemanager.newInstance(\\\"freemarker.template.utility.Execute"

      $fpg1 = "All Rights"
      $fpg2 = "<html"
      $fpg3 = "<HTML"
      $fpg4 = "Copyright" ascii wide
      $fpg5 = "License"
      $fpg6 = "<?xml"
      $fpg7 = "Help" fullword
      $fpg8 = "COPYRIGHT" ascii wide fullword
      $fpg9 = "Backup"

      $fp1 = "severity: critical" // nuclei
   condition:
      1 of ($x*)
      and not 1 of ($fp*)
}
direct LOG
LOG_SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_
Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954
author Florian Roth license see source repo
view YARA rule 
rule LOG_SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_ {
   meta:
      old_rule_name = "EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22"
      description = "Detects payload as seen in PoC code to exploit Workspace ONE Access freemarker server-side template injection CVE-2022-22954"
      author = "Florian Roth"
      reference = "https://github.com/sherlocksecurity/VMware-CVE-2022-22954"
      reference2 = "https://twitter.com/rwincey/status/1512241638994853891/photo/1"
      date = "2022-04-08"
      modified = "2025-03-29"
      score = 60
   strings:
      $x1 = "66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28" ascii

      $fp2 = "ModSecurity"
      $fp3 = " 302 -"
   condition:
      1 of ($x*)
      and not 1 of ($fp*)
}
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin