From 5321ae9e54adaa3ebb65bcd00a8c66fe2db5be51 Mon Sep 17 00:00:00 2001 From: Matthew Green Date: Sun, 1 Oct 2023 15:43:46 +1100 Subject: [PATCH] Create WS_FTP.yaml --- content/exchange/artifacts/WS_FTP.yaml | 137 +++++++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 content/exchange/artifacts/WS_FTP.yaml diff --git a/content/exchange/artifacts/WS_FTP.yaml b/content/exchange/artifacts/WS_FTP.yaml new file mode 100644 index 00000000000..23777a142fe --- /dev/null +++ b/content/exchange/artifacts/WS_FTP.yaml @@ -0,0 +1,137 @@ +name: Windows.Detection.WS_FTP +author: Matt Green - @mgreen27 +description: | + This is an artifact to detect exploitation of a MoveIt WS_FTP critical + vulnerability observed in the wild. CVE-2023-34362 + + CVE-2023–40044 is a severe .NET deserialization vulnerability in WS_FTP + Server’s Ad Hoc Transfer module, allowing a pre-authenticated attacker to + execute remote commands on the server’s operating system. + + CVE-2023–42657 is a directory traversal vulnerability, enabling attackers to + perform file operations outside their authorized WS_FTP folder path and + operate on the underlying OS. + + Both vulnerabilities are critical, with CVSS scores of 8.8 and 9.9 + respectively, and affect versions prior to 8.7.4 and 8.8.2​. + + The artifact enables detection via: + + - Yara: IIS logs + + Last updated: 2023-10-01T04:44Z + +reference: + - https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/ + +type: CLIENT +resources: + timeout: 1800 + +parameters: + - name: DateAfter + type: timestamp + default: 1685232000 + description: "Search for events or Modification time after this date. YYYY-MM-DDTmm:hh:ssZ" + - name: DateBefore + type: timestamp + description: "Search for events or Modification time after this date. YYYY-MM-DDTmm:hh:ssZ" + - name: AllDrives + type: bool + description: "By default we target yara at all drives" + default: Y + - name: DriveLetter + description: "Target yara drive. Default is a C: if not AllDrives" + default: "C:" + - name: LogYara + default: | + rule LOG_ws_ftp_exploit { + meta: + description = "Detects potential exploitation of Progress Software WS_FTP Server in IIS logs" + author = "Matt Green - @mgreen27" + reference = "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/" + date = "2023-10-01" + score = 80 + strings: + $post = /\n.{1,50} POST \/AHT\/.{1,250}\n/ + condition: + any of them + } + - name: NumberOfHits + description: This artifact will stop by default at one hit. This setting allows additional hits + default: 1 + type: int64 + - name: ContextBytes + description: Include this amount of bytes around hit as context. + default: 0 + type: int + - name: UploadYaraHits + type: bool + +sources: + - precondition: + SELECT OS From info() where OS = 'windows' + + name: Yara + query: | + -- check which Yara to use + LET yara_rules <= LogYara + + -- first find all matching files mft + LET files = SELECT OSPath, IsDir + FROM Artifact.Windows.NTFS.MFT(MFTDrive=DriveLetter, AllDrives=AllDrives, + FileRegex='^u_.+\.log$', + PathRegex='inetpub' ) + WHERE NOT IsDir + AND NOT OSPath =~ '''.:\\\\''' + AND (FileName=~ '^u_.+\.log$' AND OSPath =~ 'inetpub' ) + AND if(condition=DateAfter, + then= LastRecordChange0x10 > DateAfter, + else= True) + AND if(condition=DateBefore, + then= LastRecordChange0x10 < DateBefore, + else= True) + + -- scan files and only report a single hit. + LET hits = SELECT * FROM foreach(row=files, + query={ + SELECT + FileName, OSPath, + File.Size AS Size, + File.ModTime AS ModTime, + Rule, Tags, Meta, + String.Name as YaraString, + String.Offset as HitOffset, + upload( accessor='scope', + file='String.Data', + name=format(format="%v-%v-%v", + args=[ + OSPath, + if(condition= String.Offset - ContextBytes < 0, + then= 0, + else= String.Offset - ContextBytes), + if(condition= String.Offset + ContextBytes > File.Size, + then= File.Size, + else= String.Offset + ContextBytes) ] + )) as HitContext + FROM yara(rules=yara_rules, files=OSPath, context=ContextBytes,number=NumberOfHits) + }) + + -- upload files that have hit + LET upload_hits=SELECT *, + upload(file=OSPath) AS Upload + FROM hits + GROUP BY OSPath + + -- return rows + SELECT * FROM if(condition=UploadYaraHits, + then={ SELECT * FROM upload_hits}, + else={ SELECT * FROM hits}) + +column_types: + - name: HitContext + type: preview_upload + - name: ModTime + type: timestamp + - name: EventTime + type: timestamp