LoFP / if ws_ftp server is not in use, this analytic will not return results. monitor and tune for your environment. note the metasploit module is focused on only hitting /aht/ and not the full /aht/ahtapiservice.asmx/authuser url.

Techniques

• T1190

Sample rules

WS FTP Remote Code Execution

• source: splunk
• technicques:
  • T1190

Description

The following analytic detects potential Remote Code Execution (RCE) attempts exploiting CVE-2023-40044 in WS_FTP software. It identifies HTTP POST requests to the “/AHT/AhtApiService.asmx/AuthUser” URL with a status code of 200. This detection leverages the Web datamodel to monitor specific URL patterns and HTTP status codes. This activity is significant as it may indicate an exploitation attempt, potentially allowing an attacker to execute arbitrary code on the server. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected system.

Detection logic

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url="*/AHT/AhtApiService.asmx/AuthUser"
Web.status=200
Web.http_method="POST"

BY Web.http_user_agent Web.status Web.http_method
   Web.url Web.url_length Web.src Web.dest


| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `ws_ftp_remote_code_execution_filter`