LoFP / false positives may be present, filtering may be needed. also, restricting to known web servers running iis or sharefile will change this from hunting to ttp.

Techniques

• T1190

Sample rules

Citrix ShareFile Exploitation CVE-2023-24489

• source: splunk
• technicques:
  • T1190

Description

The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as “/documentum/upload.aspx?parentid=”, “/documentum/upload.aspx?filename=”, and “/documentum/upload.aspx?uploadId=*”, combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.

Detection logic

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url="*/documentum/upload.aspx?*"
Web.url IN (
    "*parentid=*",
    "*filename=*",
    "*uploadId=*"
)
Web.url IN (
    "*unzip=*",
    "*raw=*"
)
Web.http_method=POST

BY Web.http_user_agent Web.status Web.http_method
   Web.url Web.url_length Web.src Web.dest


| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `citrix_sharefile_exploitation_cve_2023_24489_filter`