LoFP LoFP / t1190

t1190

TitleTags
3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
a syntax error in mysql also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
access level modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. access level modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
application bugs
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
expected to be continuously seen on systems exposed to the internet
exploits that were attempted but unsuccessful.
false positives are limited.
false positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. the analytic may be modified to look for any file writes to this path as it is not common for files to write here.
false positives are not expected, as this detection is based on the presence of specific uri paths and http methods that are indicative of the cve-2024-27198 vulnerability exploitation. monitor, filter and tune as needed based on organization log sources.
false positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. the analytic is restricted to 200 and get requests to specific uri paths, which should limit false positives.
false positives are possible and filtering may be required. restrict by assets or filter known jsp files that are common for the environment.
false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct notable) if removal of other_lookups occur and score is raised to 2 (down from 4).
false positives may be possible, however we restricted it to http status 200 and post requests, based on the poc. upon investigation review the post body for the actual payload - or command - being executed.
false positives may be present based on organization use of citrix adc and gateway. filter, or restrict the analytic to citrix devices only.
false positives may be present based on organization use of saml utilities. filter, or restrict the analytic to citrix devices only.
false positives may be present if the activity is blocked or was not successful. filter known vulnerablity scanners. filter as needed.
false positives may be present with legitimate applications. attempt to filter by dest ip or use asset groups to restrict to confluence servers.
false positives may be present, as this is based on the admin user accessing the papercut ng instance from a public ip address. filter as needed.
false positives may be present, but most likely not. filter as needed.
false positives may be present, filter as needed.
false positives may be present, filtering may be needed. also, restricting to known web servers running iis or sharefile will change this from hunting to ttp.
false positives may be present, restrict to cisco ios xe devices or perimeter appliances. modify the analytic as needed based on hunting for successful exploitation of cve-2023-20198.
false positives may be present. modify the query as needed to post, or add additional filtering (based on log source).
false positives may occur and filtering may be required. restrict analytic to asset type.
false positives may occur depending on the web server's configuration. if the web server is intentionally configured to utilize the remote shellservlet, then the detections by this analytic would not be considered true positives.
false positives should be limited as the analytic is specific to screenconnect path traversal attempts. tune as needed, or restrict to specific hosts if false positives are encountered.
false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.
false positives will be limited, however tune or modify the query as needed.
false positives will be present based on gateways in use, modify the status field as needed.
files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
filtering may be required in some instances, filter as needed.
filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.
get requests will be noisy and need to be filtered out or removed from the query based on volume. restrict analytic to known publically facing fortigates, or run analytic as a hunt until properly tuned. it is also possible the user agent may be filtered on report runner or node.js only for the exploit, however, it is unknown at this if other user agents may be used.
if teamcity is not in use, this analytic will not return results. monitor and tune for your environment.
if the application expects to work with xml there may be parsing issues that don't necessarily mean xxe.
if there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.
if ws_ftp server is not in use, this analytic will not return results. monitor and tune for your environment. note the metasploit module is focused on only hitting /aht/ and not the full /aht/ahtapiservice.asmx/authuser url.
if you have front-facing proxies that provide authentication and tls, this rule would need to be tuned to eliminate the source ip address of your reverse-proxy.
in the wild, we have observed three different types of attempts that could potentially trigger false positives if the http status code is not in the query. please check this github gist for the specific uris : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . these could be legitimate requests depending on the context of your organization. therefore, it is recommended to modify the analytic as needed to suit your specific environment.
internal vulnerability scanners
internal vulnerability scanners can cause some serious fps when used, if you experience a lot of fps due to this think of adding more filters such as \"user agent\" strings and more response codes
inventory and monitoring activity
iot (internet of things) devices and networks may use telnet and can be excluded if desired. some business work-flows may use telnet for administration of older devices. these often have a predictable behavior. telnet activity involving an unusual source or destination may be more suspicious. telnet activity involving a production server that has no known associated telnet work-flow or business requirement is often suspicious.
ipv4-to-ipv6 mapped ips
irregular path with files that may be purposely called for benign reasons may produce false positives.
it is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.
it is important to note that false positives may occur if the search criteria are expanded beyond the http status code 200. in other words, if the search includes other http status codes, the likelihood of encountering false positives increases. this is due to the fact that http status codes other than 200 may not necessarily indicate a successful exploitation attempt.
it's possible that legitimate traffic will have long urls or long user agent strings and that common sql commands may be found within the url. please investigate as appropriate.
java scripts and css files
legitimate applications
legitimate apps
legitimate apps the use these paths
legitimate java applications may use perform outbound connections to these ports. filter as needed
legitimate logon attempts over the internet
legitimate processes may be spawned from the microsoft exchange server unified messaging (um) service. if known processes are causing false positives, they can be exempted from the rule.
legitimate usage of the big ip rest api to execute command for administration purposes
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
legitimate winrm usage
limited false positives, however, tune as needed.
missing .vm files
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
particular web applications may spawn a shell process legitimately
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
rdp connections may be made directly to internet destinations in order to access windows cloud server instances but such connections are usually made only by engineers. in such cases, only rdp gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
similar to cve-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
some network security policies allow rdp directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. rdp services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only rdp gateways, bastions or jump servers may be expected expose rdp directly to the internet and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some network security policies allow ssh directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. ssh services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only ssh gateways, bastions or jump servers may be expected expose ssh directly to the internet and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
the jsp file names are static names used in current proof of concept code. =
the proof of concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
the query is structured in a way that `action` (read, create) is not defined. review the results of this query, filter, and tune as necessary. it may be necessary to generate this query specific to your endpoint product.
there are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.
there are numerous many uses of the 'makeresults' and 'collect' spl commands. please evaluate the results of this search for potential abuse.
this analytic is limited to http status 200; adjust as necessary. false positives may occur if the uri path is ip-restricted or externally blocked. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
this hunting search will produce false positives if ansi escape characters are included in urls either voluntarily or by accident. this search will not detect obfuscated ansi characters.
this rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/css-exchange/main/security/baselines/baseline_15.2.792.5.csv from microsoft. depending on version, consult https://github.com/microsoft/css-exchange/tree/main/security/baselines to help determine normalcy.
tune based on assets if possible, or restrict to known confluence servers. remove the ${ for a more broad query. to identify more exec, remove everything up to the last parameter (runtime().exec) for a broad query.
unlikely
user searches in search boxes of the respective website
vnc connections may be received directly to linux cloud server instances but such connections are usually made only by engineers. vnc is less common than ssh or rdp but may be required by some work-flows such as remote access and support for specialized software products or servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
vulnerability scanners