Name:VMWare Aria Operations Exploit Attempt id:d5d865e4-03e6-43da-98f4-28a4f42d4df7 version:3 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects potential exploitation attempts against VMWare vRealize Network Insight, specifically targeting the CVE-2023-20887 vulnerability. It monitors web traffic for HTTP POST requests directed at the vulnerable endpoint "/saas./resttosaasservlet." This detection leverages web traffic data, focusing on specific URL patterns and HTTP methods. Identifying this behavior is crucial for a SOC as it indicates an active exploit attempt. If confirmed malicious, the attacker could execute arbitrary code, leading to unauthorized access, data theft, or further network compromise. Data_source:
-Palo Alto Network Threat
search:| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*") Web.http_method=POST Web.status IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`
how_to_implement:To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. known_false_positives:False positives will be present based on gateways in use, modify the status field as needed. References: -https://nvd.nist.gov/vuln/detail/CVE-2023-20887 -https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30 -https://github.com/sinsinology/CVE-2023-20887 -https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: CVE: - 'CVE-2023-20887' analytic_story: - 'VMware Aria Operations vRealize CVE-2023-20887' asset_type:Web Server atomic_guid: confidence:80 impact:90 message:An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887 mitre_attack_id: - 'T1133' - 'T1190' - 'T1210' - 'T1068' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'src' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:72 required_fields: - 'Web.http_method' - 'Web.url' - 'Web.url_length' - 'Web.src' - 'Web.dest' - 'Web.http_user_agent' security_domain:network
