LoFP / false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.

Techniques

• T1190

Sample rules

Jenkins Arbitrary File Read CVE-2024-23897

• source: splunk
• technicques:
  • T1190

Description

The following analytic identifies attempts to exploit Jenkins Arbitrary File Read CVE-2024-23897. It detects HTTP POST requests to Jenkins URLs containing “/cli?remoting=false” with a 200 status code. This activity is significant as it indicates potential unauthorized access to sensitive files on the Jenkins server, such as credentials and private keys. If confirmed malicious, this could lead to severe data breaches, unauthorized access, and further exploitation within the environment.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `jenkins_arbitrary_file_read_cve_2024_23897_filter`