LoFP / this analytic is limited to http status 200. false positives may occur if the uri path is ip-restricted or externally blocked. it is recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.

Techniques

• T1190

Sample rules

Adobe ColdFusion Access Control Bypass

• source: splunk
• technicques:
  • T1190

Description

The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel. This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints. If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.

Detection logic

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url IN (
    "*//CFIDE/adminapi*",
    "*//CFIDE/administrator*",
    "*//CFIDE/componentutils*",
    "*//CFIDE/main*",
    "*//CFIDE/restplay*",
    "*//CFIDE/servermanager*",
    "*//CFIDE/wizards*",
    "*//restplay*",
)
Web.status=200

BY Web.http_user_agent Web.status Web.http_method
   Web.url Web.url_length Web.src Web.dest


| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `adobe_coldfusion_access_control_bypass_filter`