legitimate new account creation by authorized administrators will generate similar log entries. however, those should include proper authentication details. verify any detected events against expected administrative activities and authorized user lists.

t1190
web application
splunk

Techniques

T1190

Sample rules

Ivanti VTM New Account Creation

source: splunk
technicques:
- T1190

Description

This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts.

Detection logic

`ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!" 
| stats count min(_time) as firstTime max(_time) as lastTime by IP, MODUSER, OPERATION, MODGROUP, AUTH 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ivanti_vtm_new_account_creation_filter`