/
ivanti_connect_secure_command_injection_attempts.yml
59 lines (59 loc) · 3.1 KB
/
ivanti_connect_secure_command_injection_attempts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
name: Ivanti Connect Secure Command Injection Attempts
id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e
version: 2
date: '2024-01-17'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Suricata
description: This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.
search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_command_injection_attempts_filter`'
how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
references:
- https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse
- https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml
- https://github.com/rapid7/metasploit-framework/pull/18708/files
- https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis
- https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/
- https://twitter.com/GreyNoiseIO/status/1747711939466453301
tags:
cve:
- CVE-2023-46805
- CVE-2024-21887
analytic_story:
- Ivanti Connect Secure VPN Vulnerabilities
asset_type: VPN Appliance
atomic_guid: []
confidence: 90
impact: 100
message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
mitre_attack_id:
- T1190
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 90
required_fields:
- Web.src
- Web.dest
- Web.http_user_agent
- Web.url
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log
source: suricata
sourcetype: suricata