Try in Splunk Security Cloud

Description

The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.
The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.
The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.
Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2023-06-21
  • Author: Michael Haag, Splunk
  • ID: d5d865e4-03e6-43da-98f4-28a4f42d4df7

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1133 External Remote Services Persistence, Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1210 Exploitation of Remote Services Lateral Movement
T1068 Exploitation for Privilege Escalation Privilege Escalation
Kill Chain Phase
  • Installation
  • Delivery
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 13
CVE 


1
2
3
4
5
6



| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*")  Web.http_method=POST Web.status IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `vmware_aria_operations_exploit_attempt_filter`

Macros

The SPL above uses the following Macros:

:information_source: vmware_aria_operations_exploit_attempt_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest
  • Web.http_user_agent

How To Implement

To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.

Known False Positives

False positives will be present based on gateways in use, modify the status field as needed.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
72.0 90 80 An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1