Try in Splunk Security Cloud


The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2023-10-01
  • Author: Michael Haag, Splunk
  • ID: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845




ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
Kill Chain Phase
  • Delivery
  • DE.CM
  • CIS 13

| ID | Summary | CVSS | | ———– | ———– | ————– | | CVE-2023-40044 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.  

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/AHT/AhtApiService.asmx/AuthUser") Web.status=200 Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ws_ftp_remote_code_execution_filter`


The SPL above uses the following Macros:

:information_source: ws_ftp_remote_code_execution_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • Web.http_user_agent
  • Web.status
  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest
  • sourcetype

How To Implement

The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source.

Known False Positives

If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL.

Associated Analytic Story


Risk Score Impact Confidence Message
72.0 90 80 Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1