| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1059.001 | PowerShell | Execution |
| T1003.001 | LSASS Memory | Credential Access |
Detection: Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
Description
This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt)
is followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of xp_cmdshell, a common post-exploitation technique.
If confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping.
Search
1`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (61514, 64795)
2
3| bin _time span=5m
4
5| fillnull
6
7| stats dc(signature_id) as unique_signature_count
8 values(signature_id) as signature_id
9 values(signature) as signature
10 values(class_desc) as class_desc
11 values(MitreAttackGroups) as MitreAttackGroups
12 values(InlineResult) as InlineResult
13 values(InlineResultReason) as InlineResultReason
14 values(src_ip) as src_ip
15 values(dest_port) as dest_port
16 values(rule) as rule
17 values(transport) as transport
18 values(app) as app
19 min(_time) as firstTime
20 max(_time) as lastTime
21 by dest_ip
22
23| where unique_signature_count = 2
24
25| `security_content_ctime(firstTime)`
26
27| `security_content_ctime(lastTime)`
28
29| `cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Secure Firewall Threat Defense Intrusion Event | N/A | 'cisco:sfw:estreamer' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_secure_firewall | sourcetype="cisco:sfw:estreamer" |
| cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter | search * |
cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
Exploitation
Installation
DE.CM
CIS 13
APT19
APT28
APT29
APT3
APT32
APT33
APT38
APT39
APT41
APT42
APT5
Agrius
Akira
Aquatic Panda
Axiom
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
CURIUM
Chimera
Cinnamon Tempest
Cleaver
Cobalt Group
Confucius
CopyKittens
Daggerfly
DarkHydrus
DarkVishnya
Deep Panda
Dragonfly
Earth Lusca
Ember Bear
FIN10
FIN13
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
Gallmaker
Gamaredon Group
Gorgon Group
HAFNIUM
HEXANE
INC Ransom
Inception
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Leafminer
Leviathan
Magic Hound
Molerats
Moonstone Sleet
Moses Staff
MoustachedBouncer
MuddyWater
Mustang Panda
Nomadic Octopus
OilRig
PLATINUM
Patchwork
Play
Poseidon Group
RedCurl
Rocke
Saint Bear
Salt Typhoon
Sandworm Team
Sea Turtle
Sidewinder
Silence
Stealth Falcon
Storm-1811
TA2541
TA459
TA505
TeamTNT
Threat Group-3390
Thrip
ToddyCat
Tonto Team
Turla
Volatile Cedar
Volt Typhoon
WIRTE
Whitefly
Winter Vivern
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the IntrusionEvent EventType. This search uses an input macro named cisco_secure_firewall.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The intrusion access policy must also be configured.
Known False Positives
False positives should be very unlikely.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Exploitation attempt of Veeam CVE-2023-27532 on host $dest_ip$ by $src_ip$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest_ip | system | 25 | signature, src_ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1