Techniques
Sample rules
VMWare Aria Operations Exploit Attempt
- source: splunk
- technicques:
- T1133
- T1190
- T1210
- T1068
Description
The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint “/saas./resttosaasservlet.” This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/saas./resttosaasservlet*"
Web.http_method=POST
Web.status IN (
"unknown",
"200"
)
BY Web.http_user_agent Web.status
Web.http_method Web.url Web.url_length
Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `vmware_aria_operations_exploit_attempt_filter`