-
Notifications
You must be signed in to change notification settings - Fork 339
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
91 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
name: WS FTP Remote Code Execution | ||
id: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845 | ||
version: 1 | ||
date: '2023-10-01' | ||
author: Michael Haag, Splunk | ||
status: production | ||
type: TTP | ||
data_source: [] | ||
description: 'The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt.' | ||
search: '| tstats count min(_time) as firstTime max(_time) | ||
as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST | ||
by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | ||
| `drop_dm_object_name("Web")` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | `ws_ftp_remote_code_execution_filter`' | ||
how_to_implement: The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. | ||
known_false_positives: If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. | ||
references: | ||
- https://github.com/projectdiscovery/nuclei-templates/pull/8296/files | ||
- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 | ||
tags: | ||
cve: | ||
- CVE-2023-40044 | ||
analytic_story: | ||
- WS FTP Server Critical Vulnerabilities | ||
asset_type: Web server | ||
atomic_guid: [] | ||
confidence: 80 | ||
impact: 90 | ||
message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$ | ||
mitre_attack_id: | ||
- T1190 | ||
observable: | ||
- name: url | ||
type: URL String | ||
role: | ||
- Other | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: src | ||
type: IP Address | ||
role: | ||
- Attacker | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
risk_score: 72 | ||
required_fields: | ||
- Web.http_user_agent | ||
- Web.status | ||
- Web.http_method | ||
- Web.url | ||
- Web.url_length | ||
- Web.src | ||
- Web.dest | ||
- sourcetype | ||
security_domain: network | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ws_ftp/wsftpweb.log | ||
source: suricata | ||
sourcetype: suricata |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
name: WS FTP Server Critical Vulnerabilities | ||
id: 60466291-3ab4-452b-9c11-456aa2dc7293 | ||
version: 1 | ||
date: '2023-10-01' | ||
author: Michael Haag, Splunk | ||
description: A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023. | ||
narrative: Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. | ||
references: | ||
- https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 | ||
- https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 | ||
- https://www.cve.org/CVERecord?id=CVE-2023-40044 | ||
- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/ | ||
- https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html | ||
tags: | ||
analytic_story: WS FTP Server Critical Vulnerabilities | ||
category: | ||
- Adversary Tactics | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
usecase: Advanced Threat Detection |