Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2"; flow:established,to_server; http.request_line; content:"POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection"; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|type|22 3a|"; content:"|22 3b|"; within:3; content:"|22|txtGCPProject|22 3a|"; content:"|22|txtGCPSecret|22 3a|"; content:"|22|txtGCPPath|22 3a|"; content:"|22|txtGCPBucket|22 3a|"; reference:url,attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis; reference:cve,2023-46805; reference:cve,2024-21887; classtype:attempted-admin; sid:2050096; rev:2; metadata:affected_product Pulse_Secure, created_at 2024_01_16, cve CVE_2023_46805_CVE_2024_21887, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)