The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method, indicative of a file upload attempt.
This behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation.
The impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation.
However, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Web
- Last Updated: 2023-07-26
- Author: Michael Haag, Splunk
- ID: 172c59f2-5fae-45e5-8e51-94445143e93f
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="/documentum/upload.aspx?*" AND Web.url IN ("*parentid=*","*filename=*","*uploadId=*") AND Web.url IN ("*unzip=*", "*raw=*") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_sharefile_exploitation_cve_2023_24489_filter`
The SPL above uses the following Macros:
citrix_sharefile_exploitation_cve-2023-24489_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.
Known False Positives
False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.
Associated Analytic Story
|45.0||90||50||Possible expliotation of CVE-2023-24489 against $dest$.|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1