This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/", "/mics/services/","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Web
- Last Updated: 2023-08-24
- Author: Michael Haag, Splunk
- ID: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8
Kill Chain Phase
- CIS 13
1 2 3 4 5 6 | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`
The SPL above uses the following Macros:
ivanti_sentry_authentication_bypass_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.
Known False Positives
It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt.
Associated Analytic Story
|45.0||90||50||Possible exploitation of CVE-2023-38035 against $dest$.|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1