some legitimate software updates or administrative scripts may create files in the vmware workspace one path, triggering alerts. review and allow trusted processes to reduce false positives.

Techniques

T1505.003

Sample rules

Windows Potential Web Shell Creation For VMware Workspace ONE

source: splunk
technicques:
- T1505.003

Description

This analytic looks for evidence of web shells being created in the VMware Workspace ONE path on Windows or Linux systems, which has been actively exploited by attackers via CVE-2022-22954.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path IN (
    "*/vmware/horizon/workspace/webapps/*",
    "*\\vmware\\horizon\\workspace\\webapps\\*"
)
Filesystem.file_path="*.jsp"

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name
   Filesystem.user Filesystem.vendor_product Filesystem.action


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_potential_web_shell_creation_for_vmware_workspace_one_filter`