We just had to install the application at the single Microsoft Windows Server 2016 instance created in Splunk Attack Range. In our case, since it was a single instance. Remember, if you have a Splunk distributed architecture deployment of this application, you might follow a different workflow. We followed the instructions here Configure inputs in the Splunk Add-on for Microsoft IIS. Once the installation was successful we had to configure inputs for IIS. Install Splunk Add-on for Microsoft IIS on a Splunk Server withinSplunk Attack Range Since Splunk Attack Range does not collect IIS logs by default, we had to set up Microsoft IIS log collection. According to at least one Proof of Concept, the attack was replicated on an instance running Microsoft IIS. This application, WS_FTP - which is composed of several modules including the Ad Hoc transfer module - requires the installation of Microsoft IIS and several IIS extensions in order to run. Prior work by the STRT related to IIS components and inventorying IIS Modules may be found in our blog and on. Attack Range SetupĪs outlined above, the vulnerability targets the WS_FTP Server Ad Hoc IIS module. In this blog, we are going to showcase how we used it to develop detection content related to CVE-2023-40044. Splunk Attack Range allows the quick creation of a pre-configured sandbox lab that allows quick grab, processing, and analysis of attack generated data. As the Splunk Threat Research Team (STRT), we develop community tools that provide defenders the ability to replicate and develop detections by using the Splunk Attack Range. This application is developed by the same company that developed MOVEIt File transfer software which was also recently affected by a published vulnerability ( CVE-2023-34362). ![]() A recently disclosed CVE-2023-40044, which targets Progress Software WS_FTP Server Ad Hoc module, highlights the importance of providing detection developer environments where they can replicate, validate, and produce data of ongoing exploitations campaigns with the purpose of developing detections to protect their organizations.Īs its name suggests, the named software is a file transfer application that is being targeted for exploitation.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |