Techniques
Sample rules
PaperCut NG Suspicious Behavior Debug Log
- source: splunk
- technicques:
- T1190
- T1133
Description
The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log.
Detection logic
`papercutng` (loginType=Admin OR userName=admin)
| eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted
|\/app
|\/app\?service=page\/PrinterList
|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001
|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null())
| eval ip_match=if(match(_raw, "(?i)((25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?))
|(172\.(1[6-9]
|2[0-9]
|3[0-1])\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?))
|(192\.168\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?)\.(25[0-5]
|2[0-4][0-9]
|[01]?[0-9][0-9]?))"), "IP matches", null())
| where (isnotnull(uri_match) OR isnotnull(ip_match))
| stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype
| `papercut_ng_suspicious_behavior_debug_log_filter`