Detection: Juniper Networks Remote Code Execution Exploit Detection

Updated Date: 2024-11-15 ID: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.

1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
3| `drop_dm_object_name("Web")` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `juniper_networks_remote_code_execution_exploit_detection_filter`

Data Source

Name Platform Sourcetype Source
Suricata N/A 'suricata' 'suricata'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
juniper_networks_remote_code_execution_exploit_detection_filter search *
juniper_networks_remote_code_execution_exploit_detection_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
T1105 Ingress Tool Transfer Command And Control
T1059 Command and Scripting Interpreter Execution
Command and Control
Delivery
Installation
DE.CM
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.

Known False Positives

Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.

Risk Object Risk Object Type Risk Score Threat Objects
dest system 72 url

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset suricata suricata
Integration ✅ Passing Dataset suricata suricata

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 4