Merge pull request #2945 from splunk/gitlab_release_v4.20.0

Gitlab release v4.20.0

contentctl.yml

@@ -5,8 +5,8 @@ build:
   name: DA-ESS-ContentUpdate
   path_root: dist
   prefix: ESCU
-  build: 004190
-  version: 4.19.0
+  build: 004200
+  version: 4.20.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: research@splunk.com

detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml

@@ -0,0 +1,55 @@
+name: Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
+id: 15838756-f425-43fa-9d88-a7f88063e81a
+version: 1
+date: '2024-01-16'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source: []
+description: This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied.
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" Web.http_method=GET Web.status=403 by Web.src, Web.dest, Web.http_user_agent, Web.status, Web.url source
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` | `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`'
+how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+known_false_positives: This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
+references:
+- https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse
+- https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml
+- https://github.com/rapid7/metasploit-framework/pull/18708/files
+tags:
+  cve:
+  - CVE-2023-46805
+  - CVE-2024-21887
+  analytic_story:
+  - Ivanti Connect Secure VPN Vulnerabilities
+  asset_type: VPN Appliance
+  atomic_guid: []
+  confidence: 80
+  impact: 90
+  message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 72
+  required_fields:
+  - Web.src
+  - Web.dest
+  - Web.http_user_agent
+  - Web.status
+  - Web.url
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log
+    source: suricata
+    sourcetype: suricata

detections/web/ivanti_connect_secure_command_injection_attempts.yml

@@ -0,0 +1,57 @@
+name: Ivanti Connect Secure Command Injection Attempts
+id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e
+version: 1
+date: '2024-01-16'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source: []
+description: This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.
+search: '| tstats count min(_time) as firstTime max(__time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*" Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `ivanti_connect_secure_command_injection_attempts_filter`'
+how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
+references:
+- https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse
+- https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml
+- https://github.com/rapid7/metasploit-framework/pull/18708/files
+- https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis
+- https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/
+tags:
+  cve:
+  - CVE-2023-46805
+  - CVE-2024-21887
+  analytic_story:
+  - Ivanti Connect Secure VPN Vulnerabilities
+  asset_type: VPN Appliance
+  atomic_guid: []
+  confidence: 90
+  impact: 100
+  message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 90
+  required_fields:
+  - Web.src
+  - Web.dest
+  - Web.http_user_agent
+  - Web.url
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log
+    source: suricata
+    sourcetype: suricata

detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml

@@ -0,0 +1,55 @@
+name: Ivanti Connect Secure System Information Access via Auth Bypass
+id: d51c13dd-a232-4c83-a2bb-72ab36233c5d
+version: 1
+date: '2024-01-16'
+author: Michael Haag, Splunk
+status: production
+type: Anomaly
+data_source: []
+description: This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/system-information*" Web.http_method=GET Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `ivanti_connect_secure_system_information_access_via_auth_bypass_filter`'
+how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
+references:
+- https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse
+- https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml
+- https://github.com/rapid7/metasploit-framework/pull/18708/files
+tags:
+  cve:
+  - CVE-2023-46805
+  - CVE-2024-21887
+  analytic_story:
+  - Ivanti Connect Secure VPN Vulnerabilities
+  asset_type: VPN Appliance
+  atomic_guid: []
+  confidence: 80
+  impact: 90
+  message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 72
+  required_fields:
+  - Web.src
+  - Web.dest
+  - Web.http_user_agent
+  - Web.url
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log
+    source: suricata
+    sourcetype: suricata

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.19.0"
+      "version": "4.20.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:42:59 UTC
+# On Date: 2024-01-17T18:35:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -14802,6 +14802,16 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command And Control"]
 known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed.
 providing_technologies = null
 
+[savedsearch://ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule]
+type = detection
+asset_type = VPN Appliance
+confidence = medium
+explanation = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied.
+how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]}
+known_false_positives = This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
+providing_technologies = null
+
 [savedsearch://ESCU - Adobe ColdFusion Access Control Bypass - Rule]
 type = detection
 asset_type = Network
@@ -14997,6 +15007,26 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installat
 known_false_positives = It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.
 providing_technologies = null
 
+[savedsearch://ESCU - Ivanti Connect Secure Command Injection Attempts - Rule]
+type = detection
+asset_type = VPN Appliance
+confidence = medium
+explanation = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.
+how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]}
+known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
+providing_technologies = null
+
+[savedsearch://ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule]
+type = detection
+asset_type = VPN Appliance
+confidence = medium
+explanation = This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.
+how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
+annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]}
+known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
+providing_technologies = null
+
 [savedsearch://ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule]
 type = detection
 asset_type = Web Server
@@ -16530,6 +16560,17 @@ searches = ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite
 description = Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.
 narrative = Insider Threats are best defined by CISA: "Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs." An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.
 
+[analytic_story://Ivanti Connect Secure VPN Vulnerabilities]
+category = Adversary Tactics
+last_updated = 2024-01-16
+version = 1
+references = ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"]
+maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}]
+spec_version = 3
+searches = ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"]
+description = The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits.
+narrative = Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks.
+
 [analytic_story://Ivanti EPMM Remote Unauthenticated Access]
 category = Vulnerability
 last_updated = 2023-08-08

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:42:59 UTC
+# On Date: 2024-01-17T18:35:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240110184052
+build = 20240117183348
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.19.0 
+version = 4.20.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:42:59 UTC
+# On Date: 2024-01-17T18:35:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:42:59 UTC
+# On Date: 2024-01-17T18:35:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
 [content-version]
-version = 4.19.0 
+version = 4.20.0 

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:42:59 UTC
+# On Date: 2024-01-17T18:35:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############