Branch was auto-updated.

dist/escu/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.5.0"
+      "version": "4.5.1"
     }, 
     "author": [
       {

dist/escu/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -13477,6 +13477,19 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitr
 known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic.
 providing_technologies = null
 
+[savedsearch://ESCU - VMWare Aria Operations Exploit Attempt - Rule]
+type = detection
+asset_type = Web Server
+confidence = medium
+explanation = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\
+The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\
+The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\
+Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.
+how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.
+annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]}
+known_false_positives = False positives will be present based on gateways in use, modify the status field as needed.
+providing_technologies = null
+
 [savedsearch://ESCU - VMware Server Side Template Injection Hunt - Rule]
 type = detection
 asset_type = Web Server
@@ -15718,6 +15731,21 @@ searches = ["ESCU - Protocols passing authentication in cleartext - Rule", "ESCU
 description = Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.
 narrative = Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.
 
+[analytic_story://VMware Aria Operations vRealize CVE-2023-20887]
+category = Adversary Tactics
+last_updated = 2023-06-21
+version = 1
+references = ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"]
+maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}]
+spec_version = 3
+searches = ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"]
+description = CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint ("/saas./resttosaasservlet") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.
+narrative = CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\
+This particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\
+The exploit operates by sending a specially crafted payload to the "/saas./resttosaasservlet" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\
+What makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the "/saas./resttosaasservlet" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\
+VMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.
+
 [analytic_story://VMware Server Side Injection and Privilege Escalation]
 category = Adversary Tactics
 last_updated = 2022-05-19

dist/escu/default/app.conf

@@ -4,7 +4,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 14859
+build = 15163
 
 [triggers]
 reload.analytic_stories = simple
@@ -20,7 +20,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.5.0
+version = 4.5.1
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/escu/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############

dist/escu/default/content-version.conf

@@ -1,2 +1,2 @@
 [content-version]
-version = 4.5.0
+version = 4.5.1

dist/escu/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############

dist/escu/default/macros.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -5269,6 +5269,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[vmware_aria_operations_exploit_attempt_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [vmware_server_side_template_injection_hunt_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.

dist/escu/default/savedsearches.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############
@@ -56592,6 +56592,61 @@ realtime_schedule = 0
 is_visible = false
 search = | tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`
 
+[ESCU - VMWare Aria Operations Exploit Attempt - Rule]
+action.escu = 0
+action.escu.enabled = 1
+description = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\
+The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\
+The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\
+Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.
+action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]}
+action.escu.data_models = ["Web"]
+action.escu.eli5 = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\
+The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\
+The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\
+Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.
+action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.
+action.escu.known_false_positives = False positives will be present based on gateways in use, modify the status field as needed.
+action.escu.creation_date = 2023-06-21
+action.escu.modification_date = 2023-06-21
+action.escu.confidence = high
+action.escu.full_search_name = ESCU - VMWare Aria Operations Exploit Attempt - Rule
+action.escu.search_type = detection
+action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"]
+action.escu.providing_technologies = null
+action.escu.analytic_story = ["VMware Aria Operations vRealize CVE-2023-20887"]
+action.risk = 1
+action.risk.param._risk_message = An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887
+action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 72}]
+action.risk.param._risk_score = 0
+action.risk.param.verbose = 0
+cron_schedule = 0 * * * *
+dispatch.earliest_time = -70m@m
+dispatch.latest_time = -10m@m
+action.correlationsearch.enabled = 1
+action.correlationsearch.label = ESCU - VMWare Aria Operations Exploit Attempt - Rule
+action.correlationsearch.annotations = {"analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery", "Installation", "Exploitation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]}
+schedule_window = auto
+action.notable = 1
+action.notable.param.nes_fields = user,dest
+action.notable.param.rule_description = The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\
+The analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint ("/saas./resttosaasservlet"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\
+The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\
+Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.
+action.notable.param.rule_title = VMWare Aria Operations Exploit Attempt
+action.notable.param.security_domain = network
+action.notable.param.severity = high
+alert.digest_mode = 1
+disabled = true
+enableSched = 1
+allow_skew = 100%
+counttype = number of events
+relation = greater than
+quantity = 0
+realtime_schedule = 0
+is_visible = false
+search = | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/saas./resttosaasservlet*")  Web.http_method=POST Web.status IN ("unknown", "200") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`
+
 [ESCU - VMware Server Side Template Injection Hunt - Rule]
 action.escu = 0
 action.escu.enabled = 1

dist/escu/default/transforms.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############

dist/escu/default/workflow_actions.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-06-13T18:38:59 UTC
+# On Date: 2023-06-22T18:50:57 UTC
 # Author: Splunk Security Research
 # Contact: research@splunk.com
 #############