LoFP / false positives may be present if the activity is blocked or was not successful. filter known vulnerablity scanners. filter as needed.

Techniques

• T1133
• T1190

Sample rules

F5 BIG-IP iControl REST Vulnerability CVE-2022-1388

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value.

Detection logic

| tstats count from datamodel=Web where Web.url="*/mgmt/tm/util/bash*" Web.http_method="POST" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`

VMware Server Side Template Injection Hunt

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme.

Detection logic

| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*deviceudid=*" AND Web.url IN ("*java.lang.ProcessBuilder*","*freemarker.template.utility.ObjectConstructor*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `vmware_server_side_template_injection_hunt_filter`

VMware Workspace ONE Freemarker Server-side Template Injection

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk.

Detection logic

| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url="*/catalog-portal/ui/oauth/verify?error=&deviceudid=*" AND Web.url="*freemarker.template.utility.Execute*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `vmware_workspace_one_freemarker_server_side_template_injection_filter`