Sample rules
Ivanti Connect Secure Command Injection Attempts
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_command_injection_attempts_filter`
Ivanti Connect Secure System Information Access via Auth Bypass
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`
Adobe ColdFusion Access Control Bypass
- source: splunk
- technicques:
- T1190
Description
The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", "/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `adobe_coldfusion_access_control_bypass_filter`
Ivanti Connect Secure SSRF in SAML Component
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti’s products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_ssrf_in_saml_component_filter`
Sample rules
Ivanti Connect Secure Command Injection Attempts
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_command_injection_attempts_filter`
Ivanti Connect Secure System Information Access via Auth Bypass
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects GET requests to the /api/v1/totp/user-backup-code/../../system/system-information URI, which leverage an authentication bypass to access system information. The detection uses the Web datamodel to identify requests with a 200 OK response, indicating a successful exploit attempt. This activity is significant as it reveals potential unauthorized access to sensitive system information. If confirmed malicious, attackers could gain critical insights into the system, facilitating further exploitation and compromise.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`
Adobe ColdFusion Access Control Bypass
- source: splunk
- technicques:
- T1190
Description
The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*", "//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*", "//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*", "/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*", "/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `adobe_coldfusion_access_control_bypass_filter`
Ivanti Connect Secure SSRF in SAML Component
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti’s products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_ssrf_in_saml_component_filter`
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- source: splunk
- technicques:
- T1190
Description
The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`