-
Notifications
You must be signed in to change notification settings - Fork 392
/
Copy pathweb_spring_cloud_function_functionrouter.yml
73 lines (73 loc) · 3.23 KB
/
web_spring_cloud_function_functionrouter.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Web Spring Cloud Function FunctionRouter
id: 89dddbad-369a-4f8a-ace2-2439218735bc
version: 4
date: '2024-11-15'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic identifies HTTP POST requests to the Spring Cloud
Function endpoint containing "functionRouter" in the URL. It leverages the Web data
model to detect these requests based on specific fields such as http_method, url,
and http_user_agent. This activity is significant because it targets CVE-2022-22963,
a known vulnerability in Spring Cloud Function, which has multiple proof-of-concept
exploits available. If confirmed malicious, this activity could allow attackers
to execute arbitrary code, potentially leading to unauthorized access, data exfiltration,
or further compromise of the affected system.
data_source:
- Splunk Stream HTTP
search: '| tstats count from datamodel=Web where Web.http_method IN ("POST") Web.url="*/functionRouter*"
by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest
Web.status sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on Web traffic that include fields relavent for traffic into the `Web` datamodel.
known_false_positives: False positives may be present with legitimate applications.
Attempt to filter by dest IP or use Asset groups to restrict to servers.
references:
- https://github.com/rapid7/metasploit-framework/pull/16395
- https://github.com/hktalent/spring-spel-0day-poc
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A suspicious URL has been requested against $dest$ by $src$, related to
a vulnerability in Spring Cloud.
risk_objects:
- field: dest
type: system
score: 42
threat_objects:
- field: src
type: ip_address
tags:
analytic_story:
- Spring4Shell CVE-2022-22965
asset_type: Web Server
cve:
- CVE-2022-22963
mitre_attack_id:
- T1190
- T1133
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log
source: stream:http
sourcetype: stream:http