Merge pull request #1 from Loginsoft-Research/alpha-01

alpha-detect for multiple products

Author: Loginsoft-Research

Atlassian-Confluence/CVE-2022-26134/Falco/falco-cve-2022-26134.yaml

@@ -0,0 +1,51 @@
+
+- list: shell_binaries
+  items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
+
+
+- macro: check_process_atlassian_confluence
+  condition: (proc.aname[0]=java and proc.name contains http-nio and proc.cmdline contains -DConfluence)
+
+
+- rule: Atlassian Confluence Server and Data Center Possible CVE-2022-26134 Exploit Detection(RCE)
+  desc: Possible CVE-2022-26134 Attempt exploit observed. 
+  condition: >
+    evt.dir=< and 
+    evt.type in (stat, execve) and 
+    check_process_atlassian_confluence and 
+    (evt.arg.path contains 'java.lang.Runtime@getRuntime().exec' or evt.arg.path contains '${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval') or (evt.arg.exe in (shell_binaries) and evt.arg.args startswith '-c')
+  output: "CVE-2022-26134 (Atlassian Confluence) exploit detected (user.name=%user.name user.loginuid=%user.loginuid proc.exeline=%proc.exeline proc.name=%proc.name proc.cwd=%proc.cwd container.id=%container.id evt.args=%evt.args)"
+  priority: CRITICAL
+  tags: [host, container, exploit, CVE_2022_26134, atlassian_confluence, Mitre_Initial_Access, T1190]
+
+
+- macro: read_socket
+  condition: evt.type=read and (fd.typechar='4' or fd.typechar='6')
+
+
+- rule: Atlassian Confluence Server and Data Center CVE-2022-26134 Exploit Attempt Detection(RCE)
+  desc: Possible CVE-2022-26134 Attempt exploit attempt observed. 
+  condition: >
+    evt.dir=< and 
+    read_socket and 
+    check_process_atlassian_confluence and 
+    (evt.arg.data contains 'org.apache.commons.io.IOUtils' and evt.arg.data contains 'java.lang.Runtime' and evt.arg.data contains '.exec') or
+    (evt.arg.data contains 'javax.script.ScriptEngineManager' and evt.arg.data contains 'getEngineByName' and evt.arg.data contains '.eval' and evt.arg.data contains 'java.lang.ProcessBuilder' and evt.arg.data contains '.command')
+
+  output: "CVE-2022-26134 (Atlassian Confluence) exploit attempt detected (user.name=%user.name user.loginuid=%user.loginuid proc.exeline=%proc.exeline proc.name=%proc.name proc.cwd=%proc.cwd container.id=%container.id evt.args=%evt.args cip=%fd.cip)"
+  priority: CRITICAL
+  tags: [host, container, exploit, CVE_2022_26134, atlassian_confluence, Mitre_Initial_Access, T1190]
+
+
+
+
+
+
+
+
+
+
+
+
+
+

Atlassian-Confluence/README.md

@@ -0,0 +1,4 @@
+# CVE-2022-26134 Exploit Detection
+
+Command to run using Falco - `sudo falco -r falco-cve-2022-21634.yaml -A`
+

GoAnywhere-MFT/CVE-2023-0669/Falco/falco-cve-2023-0669.yaml

@@ -0,0 +1,29 @@
+
+- required_engine_version: 17
+
+- macro: check_goanywhereMFT_fingerprint
+  condition: (proc.exeline contains java and proc.exeline contains bootstrap.GoAnywhereBootstrap)
+
+- macro: check_process_goanywhere
+  condition: (proc.name contains http-nio)
+
+- rule: Fortra Goanywhere Managed File Transfer (MFT) CVE-2023-0669 Exploit Detection
+  desc: Possible CVE-2023-0669 exploit observed from Request URI '/lic/accept' (License Response Servlet) with POST method having a serialized payload in the Body. 
+  condition: >
+    evt.dir=< and check_goanywhereMFT_fingerprint and check_process_goanywhere and evt.args contains POST and evt.args contains /lic/accept and evt.args contains 'bundle='
+  enabled: true
+  output: "CVE-2023-0669 exploit attempt detected (user.name=%user.name user.loginuid=%user.loginuid proc.exeline=%proc.exeline proc.name=%proc.name proc.cwd=%proc.cwd container.id=%container.id evt.args=%evt.args)"
+  priority: CRITICAL
+  tags: [host, container, exploit, CVE_2023_0669, goanywhere_mft, Mitre_Initial_Access, T1190]
+
+
+- macro: shell_access
+  condition: (evt.args contains ./bin/bash or evt.args contains ./bin/csh or evt.args contains ./bin/sh or evt.args contains ./bin/zsh or evt.args contains ./bin/dash)
+
+- rule: Fortra Goanywhere MFT Possible Command Injection Detection
+  desc: Detecting possible command injection through Goanywhere MFT exploit (false positives may appear)
+  condition: >
+    evt.dir=< and check_goanywhereMFT_fingerprint and check_process_goanywhere and shell_access and syscall.type=execve
+  output: "Possible Command Injection through Goanywhere MFT (user.name=%user.name user.loginuid=%user.loginuid proc.exeline=%proc.exeline proc.name=%proc.pid proc.cwd=%proc.cwd container.id=%container.id)"
+  priority: WARNING
+  tags: [host, container, anomaly, CVE_2023_0669, goanywhere_mft, Mitre_Initial_Access, T1190]

GoAnywhere-MFT/CVE-2023-0669/Osquery/CVE-2023-0669.sql

@@ -0,0 +1,29 @@
+SELECT
+    p.name AS process_name,
+    p.pid AS process_pid,
+    p.cmdline AS process_cmdline,
+    p.path AS process_path,
+    pof.path AS opened_files,
+    yara.count,
+    yara.matches
+FROM processes p
+JOIN process_open_files AS pof
+ON p.pid = pof.pid
+AND process_name = 'java'
+AND process_cmdline LIKE '%bootstrap.GoAnywhereBootstrap%'
+AND pof.path LIKE '%/goanywhere.log'
+JOIN yara
+ON yara.path = pof.path
+AND yara.count > 0
+AND sigrule = '
+    rule goanywhere_2023_0669_log{
+        meta:
+            author = "Loginsoft Research Team"
+            description = "Detect the CVE-2023-0669 exploitation on goanywhere mft"
+        strings:
+            $parse_error = "Error parsing license response"
+            $http_reponse_500 = {41 6e 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 70 72 6f 63 65 73 73 69 6e 67 20 74 68 65 20 72 65 71 75 65 73 74 20 55 52 49 20 27 2f 67 6f 61 6e 79 77 68 65 72 65 2f 6c 69 63 2f 61 63 63 65 70 74 27 20 66 72 6f 6d 20 74 68 65 20 69 70 20 61 64 64 72 65 73 73 20 27 [1-3] 2e [1-3] 2e [1-3] 2e [1-3] 27 2e 20 54 68 65 20 48 54 54 50 20 73 74 61 74 75 73 20 63 6f 64 65 20 69 73 20 27 35 30 30 27}
+            $error_class = "at com.linoma.ga.ui.admin.servlet.LicenseResponseServlet.doPost(LicenseResponseServlet.java"
+        condition:
+            all of them
+    }';

GoAnywhere-MFT/CVE-2023-0669/README.md

@@ -0,0 +1,4 @@
+# CVE-2023-0669 Exploit Detection
+
+Command to run using Falco - `sudo falco -r falco-cve-2023-0669.yaml -A`
+

RocketMQ/CVE-2023-33246/Falco/falco-cve-2023-33246.yaml

@@ -0,0 +1,38 @@
+- required_engine_version: 17
+
+
+- macro: rocketmq_check_netty_server
+  condition: (proc.name contains NettyServer and proc.env contains ROCKETMQ)
+
+- macro: read_socket
+  condition: evt.type=read and (fd.typechar='4' or fd.typechar='6')
+
+- macro: rocketmq_check_payload_for_conf_update
+  condition: (read_socket and evt.buffer contains 'code":25' and evt.buffer contains serialize)
+
+- rule: Apache Rocketmq CVE-2023-33246 Exploit Detection
+  desc: >
+    CVE-2023-33246 is exploited at the function used to update configuration & can be detected by looking at the buffer for broker code-25 and serializeTypeCurrentRPC function.
+  condition: >
+    evt.dir=< and rocketmq_check_netty_server and rocketmq_check_payload_for_conf_update
+  output: CVE-2023-33246 exploit detected (event=%evt.type server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto parent=%proc.pname process=%proc.name command=%proc.cmdline container_id=%container.id)
+  priority: CRITICAL
+  tags: [host, container, exploit, CVE_2023_33246, rocketmq, apache,Mitre_Initial_Access, Mitre_Execution,TA0001, TA0002, T1133, T1059]
+
+- macro: open_write
+  condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
+
+- macro: rocketmq_check_env_variable
+  condition: (proc.env contains ROCKETMQ)
+
+- macro: rocketmq_check_properties_file_write_conf
+  condition: (fd.nameraw contains conf and fd.nameraw endswith '.properties')
+
+- rule: Apache Rocketmq CVE-2023-33246 Exploit Attempt based on properties file
+  desc: >
+    Observed the file ends with '.properties' created under folder 'CONF' upon exploit CVE-2023-33246 attempt
+  condition: >
+    open_write and evt.dir=< and rocketmq_check_env_variable and rocketmq_check_properties_file_write_conf
+  output: CVE-2023-33246 exploit attempt detected (event=%evt.type filepath=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto parent=%proc.pname process=%proc.name command=%proc.cmdline container_id=%container.id)
+  priority: WARNING
+  tags: [host, container, anomaly, CVE_2023_33246, rocketmq, apache,Mitre_Initial_Access, Mitre_Execution,TA0001, TA0002, T1133, T1059]

RocketMQ/CVE-2023-33246/Osquery/CVE_2023_33246_rocketmq_log.sql

@@ -0,0 +1,30 @@
+SELECT
+    p.name AS process_name,
+    p.pid AS process_pid,
+    p.cmdline AS process_cmdline,
+    p.path AS process_path,
+    pof.path AS opened_files,
+    yara.count,
+    yara.matches
+FROM processes p
+JOIN process_open_files AS pof
+ON p.pid = pof.pid
+AND name = 'java'
+AND cmdline LIKE '%rocketmq%'
+AND pof.path LIKE '%/broker.log'
+JOIN yara
+ON yara.path = pof.path
+AND yara.count > 0
+AND sigrule = '
+    rule rocketmq_2023_33246_log{
+        meta:
+            author = "Loginsoft Research Team"
+            description = "Detect the updatebrokerconfig request to add keys before exploitation from broker.log file"
+        strings:
+            $update_info_1 = "Broker receive request to update config, caller address"
+            $update_info_2 = "updateBrokerConfig called by"
+            $update_key_info = /updateBrokerConfig, new config: \[\{filterServerNums=(0*[1-9]\d*|0\d{*,}), rocketmqHome=-c/
+
+        condition:
+            1 of ($update_info_*) and $update_key_info
+    }';

RocketMQ/CVE-2023-33246/Osquery/CVE_2023_33246_rocketmq_properties.sql

@@ -0,0 +1,25 @@
+SELECT
+    target_path,
+    category,
+    action,
+    atime,
+    mtime,
+    ctime,
+    count,
+    matches
+FROM file_events
+JOIN yara
+ON yara.path = target_path
+AND target_path LIKE '%.properties'
+AND count > 0
+AND sigrule = '
+    rule rocketmq_2023_33246_properties{
+        meta:
+            author = "Loginsoft Research Team"
+            description = "Detect the addition of key in properties file before exploitation."
+        strings:
+            $key_value_1 = /filterServerNums=(0*[1-9]\d*|0\d{*,})/
+            $key_value_2 = "rocketmqHome=-c"
+        condition:
+            all of them
+    }';

RocketMQ/CVE-2023-33246/README.md

@@ -0,0 +1,4 @@
+# CVE-2023-33246 Exploit Detection
+
+Command to run using Falco - `sudo falco -r falco-cve-2023-33246.yaml -A`
+

WSO2/CVE-2022-29464/Falco/falco-cve-2022-29464.yaml

@@ -0,0 +1,18 @@
+- required_engine_version: 17
+
+
+#resuing macro #api-manager
+- macro: open_write
+  condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
+
+- macro: check_process_wso2
+  condition: (proc.aname[0]=java and (proc.exeline contains org.wso2.carbon.bootstrap) or proc.exeline contains org.wso2.carbon.server)
+
+- rule: WSO2 CVE-2022-29464 Exploit Detection
+  desc: Possible CVE-2022-29464 exploit observed. 
+  condition: >
+    check_process_wso2 and open_write and fd.directory contains /repository/ and fd.nameraw contains '../../../../' and evt.arg.mode=0666 and (fd.filename contains '.jsp' or fd.filename contains '.war' or fd.filename contains '.class')
+  output: "CVE-2022-29464 exploit attempt detected (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.filename directory=%fd.directory container.id=%container.id))"
+  priority: CRITICAL
+  tags: [host, container, exploit, CVE_2022_29464, wso2_apim, wso2_is]
+