Branch was auto-updated.

detections/endpoint/detect_webshell_exploit_behavior.yml

@@ -49,6 +49,7 @@ tags:
   - CISA AA22-264A
   - Citrix ShareFile RCE CVE-2023-24489
   - Flax Typhoon
+  - WS FTP Server Critical Vulnerabilities
   asset_type: Endpoint
   confidence: 80
   impact: 100

detections/endpoint/w3wp_spawning_shell.yml

@@ -49,6 +49,7 @@ tags:
   - BlackByte Ransomware
   - CISA AA22-264A
   - Flax Typhoon
+  - WS FTP Server Critical Vulnerabilities
   asset_type: Endpoint
   confidence: 80
   cve:

detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml

@@ -23,6 +23,7 @@ references:
 tags:
   analytic_story:
   - IIS Components
+  - WS FTP Server Critical Vulnerabilities
   asset_type: Endpoint
   confidence: 10
   impact: 10

detections/web/ws_ftp_remote_code_execution.yml

@@ -0,0 +1,66 @@
+name: WS FTP Remote Code Execution
+id: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845
+version: 1
+date: '2023-10-01'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source: []
+description: 'The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt.'
+search: '| tstats count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST
+  by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`'
+how_to_implement: The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.
+known_false_positives: If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment.
+references:
+- https://github.com/projectdiscovery/nuclei-templates/pull/8296/files
+- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
+tags:
+  cve:
+  - CVE-2023-40044
+  analytic_story:
+  - WS FTP Server Critical Vulnerabilities
+  asset_type: Web server
+  atomic_guid: []
+  confidence: 80
+  impact: 90
+  message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: url
+    type: URL String
+    role:
+    - Other
+  - name: dest
+    type: Hostname
+    role:
+    - Victim 
+  - name: src
+    type: IP Address
+    role:
+    - Attacker   
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 72
+  required_fields:
+  - Web.http_user_agent
+  - Web.status
+  - Web.http_method
+  - Web.url
+  - Web.url_length
+  - Web.src
+  - Web.dest
+  - sourcetype
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ws_ftp/wsftpweb.log
+    source: suricata
+    sourcetype: suricata

stories/ws_ftp_server_critical_vulnerabilities.yml

@@ -0,0 +1,22 @@
+name: WS FTP Server Critical Vulnerabilities
+id: 60466291-3ab4-452b-9c11-456aa2dc7293
+version: 1
+date: '2023-10-01'
+author: Michael Haag, Splunk
+description: A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.
+narrative: Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.
+references:
+- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
+- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
+- https://www.cve.org/CVERecord?id=CVE-2023-40044
+- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
+- https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html
+tags:
+  analytic_story: WS FTP Server Critical Vulnerabilities
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection