alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Final Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/invoke"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b 5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5b\x5d/"; xbits:isset,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033756; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_21985, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)