Techniques
Sample rules
PaperCut NG Remote Web Access Attempt
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers.
It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.
This detection leverages web traffic data from the Web datamodel, focusing on specific URI paths and excluding internal IP ranges.
This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server.
If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Web WHERE
Web.url IN (
"*/app?service=direct/1/PrinterDetails/printerOptionsTab.tab"
"*/app?service=direct/1/PrinterList/selectPrinter&sp=*",
"*/app?service=page/PrinterList",
"*/app?service=page/SetupCompleted"
)
NOT src IN (
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"192.0.0.0/24",
"192.0.0.0/29",
"192.0.0.8/32",
"192.0.0.9/32",
"192.0.0.10/32",
"192.0.0.170/32",
"192.0.0.171/32",
"192.0.2.0/24",
"192.31.196.0/24",
"192.52.193.0/24",
"192.88.99.0/24",
"224.0.0.0/4",
"192.175.48.0/24",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"240.0.0.0/4",
"::1"
)
by Web.http_user_agent Web.http_method
Web.url,Web.url_length Web.src
Web.dest Web.dest_port
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `papercut_ng_remote_web_access_attempt_filter`