false positives should be limited as this detection is based on a specific url path and http status code. adjust the search as necessary to fit the environment.

t1190
web server
splunk

Techniques

T1190

Sample rules

Jenkins Arbitrary File Read CVE-2024-23897

source: splunk
technicques:
- T1190

Description

The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information.

Detection logic


| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/cli?remoting=false*" Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url Web.status, Web.http_method 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `jenkins_arbitrary_file_read_cve_2024_23897_filter`