splunk · patel-bhavin · Jul 25, 2024 · Jul 24, 2024 · Jul 24, 2024 · Jul 24, 2024
@@ -0,0 +1,45 @@
+name: MOVEit Certificate Store Access Failure
+id: d61292d5-46e4-49ea-b23b-8049ea70b525
+version: 1
+date: '2024-07-24'
+author: Michael Haag, Splunk
+data_source: []
+type: Hunting
+status: production
+description: This detection identifies potential exploitation attempts of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer. It looks for log entries indicating failures to access the certificate store, which can occur when an attacker attempts to exploit the authentication bypass vulnerability. This behavior is a key indicator of attempts to impersonate valid users without proper credentials. While certificate store access failures can occur during normal operations, an unusual increase in such events, especially from unexpected sources, may indicate malicious activity.
+search: '`moveit_sftp_logs` "IpWorksKeyService: Caught exception of type IPWorksSSHException: The certificate store could not be opened"| stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_certificate_store_access_failure_filter`'
+how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment.
+known_false_positives: False positives may occur, therefore utilize the analytic as a jump off point to identifiy potential certificate store errors.
+references:
+- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
+tags:
+  analytic_story:
+  - MOVEit Transfer Authentication Bypass
+  asset_type: Web Server
+  confidence: 30
+  impact: 30
+  message: Potential exploitation of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer, causing certificate store access failure on $source$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: source
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - source
+  - _raw
+  risk_score: 9
+  security_domain: endpoint
+  cve:
+  - CVE-2024-5806
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log
+    sourcetype: sftp_server_logs
+    source: sftp_server_logs
@@ -0,0 +1,45 @@
+name: MOVEit Empty Key Fingerprint Authentication Attempt
+id: 1a537acc-199f-4713-b5d7-3d98c05ab932
+version: 1
+date: '2024-07-24'
+author: Michael Haag, Splunk
+data_source: []
+type: Hunting
+status: production
+description: This detection identifies attempts to authenticate with an empty public key fingerprint in Progress MOVEit Transfer, which is a key indicator of potential exploitation of the CVE-2024-5806 vulnerability. Such attempts are characteristic of the authentication bypass technique used in this vulnerability, where attackers try to impersonate valid users without providing proper credentials. While occasional empty key fingerprint authentication attempts might occur due to misconfigurations, a sudden increase or attempts from unexpected sources could signify malicious activity. This analytic helps security teams identify and investigate potential exploitation attempts of the MOVEit Transfer authentication bypass vulnerability.
+search: '`moveit_sftp_logs` "UserAuthRequestHandler: SftpPublicKeyAuthenticator: Attempted to authenticate empty public key fingerprint" | stats count by source _raw | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `moveit_empty_key_fingerprint_authentication_attempt_filter`'
+how_to_implement: The MOVEit logs must be collected in Splunk. Currently, there is no TA available for MOVEit. Modify the analytic as needed to match the log format of your environment.
+known_false_positives: False positives may occur, therefore utilize the analytic as a jump off point to identify potential empty key fingerprint authentication attempts.
+references:
+- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
+tags:
+  analytic_story:
+  - MOVEit Transfer Authentication Bypass
+  asset_type: Web Server
+  confidence: 30
+  impact: 30
+  message: Potential exploitation of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer, causing empty key fingerprint authentication attempts via $source$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: source
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - source
+  - _raw
+  risk_score: 9
+  security_domain: endpoint
+  cve:
+  - CVE-2024-5806
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log
+    sourcetype: sftp_server_logs
+    source: sftp_server_logs
@@ -0,0 +1,4 @@
+definition: sourcetype="sftp_server_logs"
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: moveit_sftp_logs
@@ -0,0 +1,32 @@
+name: MOVEit Transfer Authentication Bypass
+id: b4c0b91f-eee5-47fd-ab02-11f68a9c0858
+version: 1
+date: '2024-06-28'
+author: Michael Haag, Splunk
+description: 'This analytic story addresses the critical authentication bypass vulnerability (CVE-2024-5806) in Progress MOVEit Transfer. The vulnerability allows attackers to impersonate any valid user on the system without proper credentials, potentially leading to unauthorized access, data theft, and system compromise. This story includes detections for key indicators of exploitation attempts, helping security teams identify and respond to potential attacks leveraging this vulnerability.'
+narrative: 'In June 2024, a severe authentication bypass vulnerability (CVE-2024-5806) was discovered in Progress MOVEit Transfer, a widely used file transfer solution. This vulnerability allows attackers to bypass authentication and impersonate any valid user on the system, even without prior access or the ability to upload files.
+
+  The vulnerability stems from improper handling of SSH public key authentication in the SFTP module. Attackers can exploit this by providing a file path instead of a valid public key during the authentication process, tricking the server into reading a maliciously crafted public key from its own log files.
+
+  Exploitation requires only knowledge of a valid username, making it relatively easy to exploit. The vulnerability also allows for username enumeration, further increasing its potential impact.
+
+  Key indicators of exploitation attempts include:
+  1. Certificate store access failures
+  2. Empty key fingerprint authentication attempts
+  3. Unusual key fingerprint validation patterns
+  4. Authentication denials followed by key validations
+  5. Illegal characters in path exceptions
+
+  This analytic story provides detections for these indicators, helping security teams identify potential exploitation attempts. Given the severity of this vulnerability and its potential for unauthorized access and data exfiltration, it is crucial for organizations using MOVEit Transfer to implement these detections, monitor for suspicious activity, and ensure systems are patched to version 2024.0.2 or later.'
+references: 
+-  https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve:
+  - CVE-2024-5806