-
Notifications
You must be signed in to change notification settings - Fork 392
/
Copy pathvmware_aria_operations_exploit_attempt.yml
80 lines (80 loc) · 3.49 KB
/
vmware_aria_operations_exploit_attempt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: VMWare Aria Operations Exploit Attempt
id: d5d865e4-03e6-43da-98f4-28a4f42d4df7
version: 4
date: '2024-11-15'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Palo Alto Network Threat
description: The following analytic detects potential exploitation attempts against
VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability.
It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint
"/saas./resttosaasservlet." This detection leverages web traffic data, focusing
on specific URL patterns and HTTP methods. Identifying this behavior is crucial
for a SOC as it indicates an active exploit attempt. If confirmed malicious, the
attacker could execute arbitrary code, leading to unauthorized access, data theft,
or further network compromise.
search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web
where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status
IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url,
Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
web or proxy logs, or ensure it is being filled by a proxy like device, into the
Web Datamodel. Restrict to specific dest assets to reduce false positives.
known_false_positives: False positives will be present based on gateways in use, modify
the status field as needed.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2023-20887
- https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30
- https://github.com/sinsinology/CVE-2023-20887
- https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: An exploitation attempt has occurred against $dest$ from $src$ related
to CVE-2023-20887
risk_objects:
- field: dest
type: system
score: 72
threat_objects:
- field: src
type: ip_address
tags:
cve:
- CVE-2023-20887
analytic_story:
- VMware Aria Operations vRealize CVE-2023-20887
asset_type: Web Server
atomic_guid: []
mitre_attack_id:
- T1133
- T1190
- T1210
- T1068
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log
source: pan:threat
sourcetype: pan:threat