ID | Technique | Tactic |
---|---|---|
T1190 | Exploit Public-Facing Application | Initial Access |
T1059.003 | Windows Command Shell | Execution |
T1059.001 | PowerShell | Execution |
Detection: CrushFTP Authentication Bypass Exploitation
Description
The following analytic detects potential exploitation of the CrushFTP authentication bypass vulnerability (CVE-2025-31161). This detection identifies suspicious command execution patterns associated with exploitation of this vulnerability, such as executing mesch.exe with specific arguments like b64exec or fullinstall. This activity is indicative of an attacker exploiting CVE-2025-31161 to gain unauthorized access to the CrushFTP server and perform post-exploitation activities.
Search
1`crushftp`
2| rex field=_raw "\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[^\\]]+)\\]"
3| rex field=_raw "cmd:(?<process>[^\\*\\r\\n]+)"
4| where isnotnull(process) AND (match(process, "mesch\.exe") OR match(process, "b64exec") OR match(process, "fullinstall") OR match(process, "run"))
5| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, user, process
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `crushftp_authentication_bypass_exploitation_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrushFTP | N/A | 'crushftp:sessionlogs' |
'crushftp' |
Macros Used
Name | Value |
---|---|
crushftp | sourcetype="crushftp:sessionlogs" |
crushftp_authentication_bypass_exploitation_filter | search * |
crushftp_authentication_bypass_exploitation_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. This detection searches for CrushFTP logs containing suspicious command execution patterns commonly associated with exploitation of the CVE-2025-31161 vulnerability.
Known False Positives
False positives may occur if there are legitimate administrative commands being executed on the CrushFTP server that match the suspicious patterns. Review the commands being executed to determine if the activity is legitimate administrative work or potential malicious activity.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Potential CrushFTP authentication bypass exploitation from IP $src_ip$ as user $user$
Risk Object | Risk Object Type | Risk Score | Threat Objects |
---|---|---|---|
user | user | 60 | No Threat Objects |
src_ip | system | 80 | No Threat Objects |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | crushftp |
crushftp:sessionlogs |
Integration | ✅ Passing | Dataset | crushftp |
crushftp:sessionlogs |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1