LoFP / the proof of concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. false positives may be present if status=200 is removed from the search. if it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.

Techniques

• T1133
• T1190

Sample rules

Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint “/mifs/aad/api/v2/authorized/users?*” with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mifs/aad/api/v2/authorized/users?*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`