LoFP LoFP / web server

TitleTags
be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.the url in the analytic is specific to a successful attempt to exploit the vulnerability. review contents of the http body to determine if the request is malicious. if the request is benign, add the url to the whitelist or continue to monitor.
false positives are limited to zscalar configuration.
false positives are limited to zscaler configuration.
false positives are limited.
false positives are not expected, as this detection is based on the presence of specific uri paths and http methods that are indicative of the cve-2024-27198 vulnerability exploitation. monitor, filter and tune as needed based on organization log sources.
false positives are not expected, however, monitor, filter, and tune as needed based on organization log sources. the analytic is restricted to 200 and get requests to specific uri paths, which should limit false positives.
false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct notable) if removal of other_lookups occur and score is raised to 2 (down from 4).
false positives may be possible, however we restricted it to http status 200 and post requests, based on the poc. upon investigation review the post body for the actual payload - or command - being executed.
false positives may be present based on organization use of citrix adc and gateway. filter, or restrict the analytic to citrix devices only.
false positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.
false positives may be present if the activity is blocked or was not successful. filter known vulnerablity scanners. filter as needed.
false positives may be present if this command is used as a common practice. filter as needed.
false positives may be present with legitimate applications. attempt to filter by dest ip or use asset groups to restrict to confluence servers.
false positives may be present, as this is based on the admin user accessing the papercut ng instance from a public ip address. filter as needed.
false positives may be present, filter as needed.
false positives may occur and filtering may be required. restrict analytic to asset type.
false positives may occur depending on the web server's configuration. if the web server is intentionally configured to utilize the remote shellservlet, then the detections by this analytic would not be considered true positives.
false positives may occur if there are legitimate activities that mimic the exploitation pattern. it's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.
false positives will be limited, however tune or modify the query as needed.
false positives will be present based on gateways in use, modify the status field as needed.
false positives will be present until properly filtered by username and search name.
filtering may be required in some instances, filter as needed.
if teamcity is not in use, this analytic will not return results. monitor and tune for your environment.
if the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.
if ws_ftp server is not in use, this analytic will not return results. monitor and tune for your environment. note the metasploit module is focused on only hitting /aht/ and not the full /aht/ahtapiservice.asmx/authuser url.
it is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.
it's possible for legitimate http requests to be made to urls containing the suspicious paths.
no known false positives for this detection.
similar to cve-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.
the jsp file names are static names used in current proof of concept code. =
the proof of concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
there might be false positives associted with this detection since items like args as a web argument is pretty generic.
tune based on assets if possible, or restrict to known confluence servers. remove the ${ for a more broad query. to identify more exec, remove everything up to the last parameter (runtime().exec) for a broad query.
very few legitimate content-type fields will have a length greater than 100 characters.