LoFP / false positives may be present, filtering may be needed. also, restricting to known web servers running iis or sharefile will change this from hunting to ttp.

Techniques

• T1190

Sample rules

Citrix ShareFile Exploitation CVE-2023-24489

• source: splunk
• technicques:
  • T1190

Description

The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as “/documentum/upload.aspx?parentid=”, “/documentum/upload.aspx?filename=”, and “/documentum/upload.aspx?uploadId=*”, combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.url="/documentum/upload.aspx?*"
    AND
    Web.url IN ("*parentid=*","*filename=*","*uploadId=*")
    AND
    Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST
  BY Web.http_user_agent, Web.status Web.http_method,
     Web.url, Web.url_length, Web.src,
     Web.dest, sourcetype

| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `citrix_sharefile_exploitation_cve_2023_24489_filter`