alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Attempted VMware Authentication Bypass (CVE-2022-31656)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/SAAS/t/"; startswith; content:"/auth/login/embeddedauthbroker/callback"; fast_pattern; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,twitter.com/VietPetrus/status/1556999921320235009; reference:url,www.greynoise.io/blog/vmware-workspace-one-vulnerabilities-cve-2022-31656-and-cve-2022-31659; reference:cve,2022-31656; classtype:attempted-admin; sid:2038475; rev:1; metadata:created_at 2022_08_10, cve CVE_2022_31656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)