From b5041011c10bdd2af986dc61f80898a124f0504b Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Wed, 24 Jul 2024 12:16:25 -0600 Subject: [PATCH 1/4] The Haag Returns --- ...oveit_certificate_store_access_failure.yml | 45 +++++++++++++++++++ ...key_fingerprint_authentication_attempt.yml | 45 +++++++++++++++++++ macros/moveit_sftp_logs.yml | 4 ++ .../moveit_transfer_authentication_bypass.yml | 32 +++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 detections/endpoint/moveit_certificate_store_access_failure.yml create mode 100644 detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml create mode 100644 macros/moveit_sftp_logs.yml create mode 100644 stories/moveit_transfer_authentication_bypass.yml diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml new file mode 100644 index 0000000000..5b3194e473 --- /dev/null +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -0,0 +1,45 @@ +name: MOVEit Certificate Store Access Failure +id: d61292d5-46e4-49ea-b23b-8049ea70b525 +version: 1 +date: '2024-07-24' +author: Michael Haag, Splunk +data_sources: [] +type: Hunting +status: experimental +description: This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity. +search: '`moveit_sftp_logs` "IpWorksKeyService: Caught exception of type IPWorksSSHException: The certificate store could not be opened"| stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_certificate_store_access_failure_filter`' +how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment. +known_false_positives: False positives may occur, therefore utilize the analytic as a jump off point to identifiy potential certificate store errors. +references: +- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/ +tags: + analytic_story: + - MOVEit Transfer Authentication Bypass + asset_type: Web Server + confidence: 30 + impact: 30 + message: Potential exploitation of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer, causing certificate store access failure on $source$. + mitre_attack_id: + - T1190 + observable: + - name: source + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - source + - _raw + risk_score: 9 + security_domain: endpoint + cve: + - CVE-2024-5806 +tests: +- name: True Positive Test + attack_data: + - data: /Users/mhaag/Research/malware/GitHub/attack_data/datasets/attack_techniques/T1190/moveit/SftpServer.log + sourcetype: sftp_server_logs + source: sftp_server_logs diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml new file mode 100644 index 0000000000..c82a328129 --- /dev/null +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -0,0 +1,45 @@ +name: MOVEit Empty Key Fingerprint Authentication Attempt +id: 1a537acc-199f-4713-b5d7-3d98c05ab932 +version: 1 +date: '2024-07-24' +author: Michael Haag, Splunk +data_sources: [] +type: Hunting +status: experimental +description: This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability. +search: '`moveit_sftp_logs` "UserAuthRequestHandler: SftpPublicKeyAuthenticator: Attempted to authenticate empty public key fingerprint" | stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_empty_key_fingerprint_authentication_attempt_filter`' +how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment. +known_false_positives: False positives may occur, therefore utilize the analytic as a jump off point to identify potential empty key fingerprint authentication attempts. +references: +- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/ +tags: + analytic_story: + - MOVEit Transfer Authentication Bypass + asset_type: Web Server + confidence: 30 + impact: 30 + message: Potential exploitation of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer, causing empty key fingerprint authentication attempts via $source$. + mitre_attack_id: + - T1190 + observable: + - name: source + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - source + - _raw + risk_score: 9 + security_domain: endpoint + cve: + - CVE-2024-5806 +tests: +- name: True Positive Test + attack_data: + - data: /Users/mhaag/Research/malware/GitHub/attack_data/datasets/attack_techniques/T1190/moveit/SftpServer.log + sourcetype: sftp_server_logs + source: sftp_server_logs diff --git a/macros/moveit_sftp_logs.yml b/macros/moveit_sftp_logs.yml new file mode 100644 index 0000000000..0cae0bd423 --- /dev/null +++ b/macros/moveit_sftp_logs.yml @@ -0,0 +1,4 @@ +definition: sourcetype="sftp_server_logs" +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environmnent. +name: moveit_sftp_logs \ No newline at end of file diff --git a/stories/moveit_transfer_authentication_bypass.yml b/stories/moveit_transfer_authentication_bypass.yml new file mode 100644 index 0000000000..d2dcbbd367 --- /dev/null +++ b/stories/moveit_transfer_authentication_bypass.yml @@ -0,0 +1,32 @@ +name: MOVEit Transfer Authentication Bypass +id: b4c0b91f-eee5-47fd-ab02-11f68a9c0858 +version: 1 +date: '2024-06-28' +author: Michael Haag, Splunk +description: 'This analytic story addresses the critical authentication bypass vulnerability (CVE-2024-5806) in Progress MOVEit Transfer. The vulnerability allows attackers to impersonate any valid user on the system without proper credentials, potentially leading to unauthorized access, data theft, and system compromise. This story includes detections for key indicators of exploitation attempts, helping security teams identify and respond to potential attacks leveraging this vulnerability.' +narrative: 'In June 2024, a severe authentication bypass vulnerability (CVE-2024-5806) was discovered in Progress MOVEit Transfer, a widely used file transfer solution. This vulnerability allows attackers to bypass authentication and impersonate any valid user on the system, even without prior access or the ability to upload files. + + The vulnerability stems from improper handling of SSH public key authentication in the SFTP module. Attackers can exploit this by providing a file path instead of a valid public key during the authentication process, tricking the server into reading a maliciously crafted public key from its own log files. + + Exploitation requires only knowledge of a valid username, making it relatively easy to exploit. The vulnerability also allows for username enumeration, further increasing its potential impact. + + Key indicators of exploitation attempts include: + 1. Certificate store access failures + 2. Empty key fingerprint authentication attempts + 3. Unusual key fingerprint validation patterns + 4. Authentication denials followed by key validations + 5. Illegal characters in path exceptions + + This analytic story provides detections for these indicators, helping security teams identify potential exploitation attempts. Given the severity of this vulnerability and its potential for unauthorized access and data exfiltration, it is crucial for organizations using MOVEit Transfer to implement these detections, monitor for suspicious activity, and ensure systems are patched to version 2024.0.2 or later.' +references: +- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/ +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: + - CVE-2024-5806 \ No newline at end of file From a4a1b58ebcc6437c6cdf0b0bbe5f8c5c7f0bf0f5 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Wed, 24 Jul 2024 12:21:58 -0600 Subject: [PATCH 2/4] oopsies --- detections/endpoint/moveit_certificate_store_access_failure.yml | 2 +- .../moveit_empty_key_fingerprint_authentication_attempt.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index 5b3194e473..6e2c330366 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -40,6 +40,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: /Users/mhaag/Research/malware/GitHub/attack_data/datasets/attack_techniques/T1190/moveit/SftpServer.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log sourcetype: sftp_server_logs source: sftp_server_logs diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index c82a328129..574422e286 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -40,6 +40,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: /Users/mhaag/Research/malware/GitHub/attack_data/datasets/attack_techniques/T1190/moveit/SftpServer.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log sourcetype: sftp_server_logs source: sftp_server_logs From 5b679e8ef770d15585f4af18b329daf20eebf6d4 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Wed, 24 Jul 2024 11:33:50 -0700 Subject: [PATCH 3/4] change data_sources to data_source --- detections/endpoint/moveit_certificate_store_access_failure.yml | 2 +- .../moveit_empty_key_fingerprint_authentication_attempt.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index 6e2c330366..7eceddb069 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -3,7 +3,7 @@ id: d61292d5-46e4-49ea-b23b-8049ea70b525 version: 1 date: '2024-07-24' author: Michael Haag, Splunk -data_sources: [] +data_source: [] type: Hunting status: experimental description: This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity. diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index 574422e286..53dcfd5fc5 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -3,7 +3,7 @@ id: 1a537acc-199f-4713-b5d7-3d98c05ab932 version: 1 date: '2024-07-24' author: Michael Haag, Splunk -data_sources: [] +data_source: [] type: Hunting status: experimental description: This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability. From 91e12957ee268a5cd104016b563448521d2448fb Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Wed, 24 Jul 2024 13:28:38 -0600 Subject: [PATCH 4/4] production --- detections/endpoint/moveit_certificate_store_access_failure.yml | 2 +- .../moveit_empty_key_fingerprint_authentication_attempt.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index 7eceddb069..78f9a718ff 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -5,7 +5,7 @@ date: '2024-07-24' author: Michael Haag, Splunk data_source: [] type: Hunting -status: experimental +status: production description: This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity. search: '`moveit_sftp_logs` "IpWorksKeyService: Caught exception of type IPWorksSSHException: The certificate store could not be opened"| stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_certificate_store_access_failure_filter`' how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment. diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index 53dcfd5fc5..4be4c33ed8 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -5,7 +5,7 @@ date: '2024-07-24' author: Michael Haag, Splunk data_source: [] type: Hunting -status: experimental +status: production description: This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability. search: '`moveit_sftp_logs` "UserAuthRequestHandler: SftpPublicKeyAuthenticator: Attempted to authenticate empty public key fingerprint" | stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_empty_key_fingerprint_authentication_attempt_filter`' how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment.