Detect Pulse Secure 0-day (CVE-2021–22893)
In light of the most recent disclosure for Pulse Secure VPN solution I wanted to provide a quick guide to creating detection for this attack.
Brief Backstory — FireEye detected 12 malware families and multiple threat actors abusing Pulse Secure vulnerabilities. The most recent vulnerability, CVE-2021–22893, allows for RCE. A detailed explanation can be found HERE.
From a high level the things we’re interested in alerting on are requests/activity for/to some very specific URIs/files. Those are as follows:
- /home/bin/memread
- /home/runtime/logs/log.events.vc*
- /tmp/1
- meeting_testjs.cgi
- /home/runtime/logs/log.access.vc*
- /home/perl/PAUS.pm
- ive-host/dana-na/auth/
- /tmp/dsactiveuser.statementcounters
- /tmp/dsstartssh.statementcounters
- /tmp/dsserver-check.statementcounters
- compcheckjava.cgi
- compcheckresult.cgi
- DSUpgrade.pm
- memread
- licenseserverproto.cgi
- dana-na/auth/recover.cgi
- downloadlicenses.cgi
- *dana*
- *meeting*
- *fb*
- *smb*
- *dana-cached*
- *dana-ws*
- *metric*
- *namedusers*
In Splunk you can alert on these this way:
index=*_main sourcetype=pulsesecure ((“/home/bin/memread” OR “/home/runtime/logs/log.events.vc” OR “/tmp/1” OR “meeting_testjs.cgi” OR “/home/runtime/logs/log.access.vc” OR “/home/perl/PAUS.pm” OR “ive-host/dana-na/auth/” OR “/tmp/dsactiveuser.statementcounters” OR “/tmp/dsstartssh.statementcounters” OR “/tmp/dsserver-check.statementcounters” OR “compcheckjava.cgi” OR “compcheckresult.cgi” OR “DSUpgrade.pm” OR “memread” OR “licenseserverproto.cgi” OR “dana-na/auth/recover.cgi” OR “downloadlicenses.cgi”) OR ((((“*dana*”) ((“*meeting*”) OR (“*fb*” “*smb*”))) OR (“*dana-cached*” “*fb*” “*smb*”)) OR ((“*dana-ws*”) (“*metric*” OR “*namedusers*”))))
| stats count values(message) as message values(src_ip) as src_ip values(temp_info) as temp_info latest(_time) as ltime values(direction) as direction values(vendor_product) as vendor_product values(protocol) as protocol by index,dest,sourcetype
Happy Hunting
