added papercut and bitbucket detections ebpf

Signed-off-by: research <[email protected]>

Author: hkonduri

Atlassian-Bitbucket/CVE-2022-36804/Falco/falco-cve-2022-36804.yaml

@@ -0,0 +1,19 @@
+- list: shell_binaries
+  items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
+
+- macro: bitbucket_environment_variables
+  condition: (proc.env contains 'BITBUCKET_HOME' and proc.env contains 'BITBUCKET_INSTALL_DIR' and proc.env contains 'BITBUCKET_USER')
+
+- rule: Bitbucket Unauthenticated Remote Code Execution CVE-2022-36804 Exploited
+  desc: Detecs the execution of system commands using git. Possible exploitation of CVE-2022-36804.
+  condition: >
+    evt.dir=< and
+    evt.type=execve and 
+    proc.name in (shell_binaries) and 
+    proc.pname=git and 
+    bitbucket_environment_variables and
+    proc.args startswith "-c" and 
+    proc.args  contains "/'"
+  output: "CVE-2022-36804 exploit attempt detected (user.name=%user.name user.loginuid=%user.loginuid proc.exeline=%proc.exeline proc.name=%proc.name proc.cwd=%proc.cwd container.id=%container.id)"
+  priority: CRITICAL
+  tags: [host,container,exploit,CVE_2022_36804,bitbucket,Mitre_Initial_Access, T1190] 

PaperCut/CVE-2023-27350/Falco/falco-cve-2023-27350.yaml

@@ -0,0 +1,21 @@
+- macro: java_system_command_getRuntime
+  condition: (evt.arg.data contains 'Runtime' and evt.arg.data contains 'getRuntime' and evt.arg.data contains '.exec%28' )
+
+- macro: java_system_command_processBuilder
+  condition: (evt.arg.data contains 'ProcessBuilder' and evt.arg.data contains '.start%28')
+
+- macro: papercut_scripting_form_data
+  condition: (evt.arg.data contains 'service=' and evt.arg.data contains 'printerId=' and evt.arg.data contains 'enablePrintScript=' and evt.arg.data contains 'scriptBody=')
+
+- rule: PaperCut Remote Code Execution CVE-2023-27350 Exploited
+  desc: Detects the execution of system commands using Papercut App Server. Possible exploitation of CVE-2023-27350.
+  condition: >
+    evt.dir=< and
+    evt.type=read and
+    papercut_scripting_form_data and
+    (evt.arg.data contains 'ProcessBuilder.Command%28' or
+    java_system_command_getRuntime or
+    java_system_command_processBuilder)
+  output: "CVE-2023-27350 Remote Code Execution detected (event=%evt.type server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto fd.cip=%fd.cip user.name=%user.name user.loginuid=%user.loginuid parent=%proc.pname process=%proc.name container_id=%container.id)"
+  priority: CRITICAL
+  tags: [host,container,exploit,CVE_2023_27350,Papercut,Mitre_Initial_Access, T1190]

PaperCut/CVE-2023-27351/Falco/falco-cve-2023-27351.yaml

@@ -0,0 +1,13 @@
+- macro: papercut_http_request
+  condition: (evt.arg.data contains '/app?service=' and evt.arg.data contains '/SetupCompleted')
+
+- rule: PaperCut Authentication Bypass CVE-2023-27351 Exploitied
+  desc: Detects the exploitation of CVE-2023-27351 inorder to bypass authentication in Papercut.
+  condition: >
+    evt.dir=< and
+    evt.type=read and
+    papercut_http_request and
+    (fd.typechar=4 or fd.typechar=6)
+  output: "Possible Authentication Bypass CVE-2023-27351 detected (event=%evt.type server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto fd.cip=%fd.cip parent=%proc.pname process=%proc.name container_id=%container.id)"
+  priority: WARNING
+  tags: [host,container,CVE_2023_2735,PaperCut,auth_bypass]