⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-08-02
- Author: Shannon Davis, Splunk
- ID: 810e4dbc-d46e-11ea-87d0-0242ac130003
|T1190||Exploit Public-Facing Application||Initial Access|
`f5_bigip_rogue` | regex _raw="(hsqldb; |.*\\.\\.;.*)" | search `detect_f5_tmui_rce_cve_2020_5902_filter`
Associated Analytic Story
How To Implement
To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).
Kill Chain Phase
Known False Positives
source | version: 1