-
Notifications
You must be signed in to change notification settings - Fork 392
/
Copy pathcisco_ios_xe_implant_access.yml
75 lines (75 loc) · 3.35 KB
/
cisco_ios_xe_implant_access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Cisco IOS XE Implant Access
id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9
version: 4
date: '2024-11-15'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Suricata
description: The following analytic identifies the potential exploitation of a vulnerability
(CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. It detects
suspicious account creation and subsequent actions, including the deployment of
a non-persistent implant configuration file. The detection leverages the Web datamodel,
focusing on specific URL patterns and HTTP methods. This activity is significant
as it indicates unauthorized administrative access, which can lead to full control
of the device. If confirmed malicious, attackers could maintain privileged access,
compromising the device's integrity and security.
search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web
where Web.url IN ("/webui/logoutconfirm.html?logon_hash=*") Web.http_method=POST
Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length,
Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`| `cisco_ios_xe_implant_access_filter`'
how_to_implement: This detection requires the Web datamodel to be populated from a
supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk
for Palo Alto.
known_false_positives: False positives may be present, restrict to Cisco IOS XE devices
or perimeter appliances. Modify the analytic as needed based on hunting for successful
exploitation of CVE-2023-20198.
references:
- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
- https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Possible exploitation of CVE-2023-20198 against $dest$ by $src$.
risk_objects:
- field: dest
type: system
score: 81
threat_objects:
- field: src
type: ip_address
tags:
cve:
- CVE-2023-20198
analytic_story:
- Cisco IOS XE Software Web Management User Interface vulnerability
asset_type: Network
atomic_guid: []
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log
source: suricata
sourcetype: suricata