Try in Splunk Security Cloud

Description

This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2024-08-19
  • Author: Michael Haag, Splunk
  • ID: b04be6e5-2002-4349-8742-52285635b8f5

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
Kill Chain Phase
  • Delivery
NIST
  • DE.CM
CIS20
  • CIS 10
CVE
1
2
3
4
5
`ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!" 
| stats count min(_time) as firstTime max(_time) as lastTime by IP, MODUSER, OPERATION, MODGROUP, AUTH 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ivanti_vtm_new_account_creation_filter`

Macros

The SPL above uses the following Macros:

:information_source: ivanti_vtm_new_account_creation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • IP
  • MODUSER
  • OPERATION
  • MODGROUP
  • AUTH

How To Implement

To implement this detection, ensure that Ivanti vTM audit logs are being ingested into Splunk. Configure the Ivanti vTM to send its audit logs to Splunk via syslog or by monitoring the log files directly. The sourcetype should be set to "ivanti_vtm_audit" or a similar custom sourcetype for these logs.

Known False Positives

Legitimate new account creation by authorized administrators will generate similar log entries. However, those should include proper authentication details. Verify any detected events against expected administrative activities and authorized user lists.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
72.0 90 80 A new administrator account, $MODUSER$, was created on Ivanti vTM device without proper authentication, which may indicate exploitation of CVE-2024-7593.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1