Techniques
Sample rules
VMWare Aria Operations Exploit Attempt
- source: splunk
- technicques:
- T1133
- T1190
- T1210
- T1068
Description
The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint “/saas./resttosaasservlet.” This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `vmware_aria_operations_exploit_attempt_filter`