Search-based alerts

Search-based alerts are generated by Corelight-defined log search queries. The Corelight Labs team creates these alerts using LogScale searches, correlating threat indicators from the logs. This type of alert provides expanded coverage and rapid response.

You can find more information for each search-based alert by clicking the alert name in the Alert Catalog. The alert details provide a summary and suggest next steps for each detection to guide your investigation and troubleshooting.

The search-based alerts described in the following sections are available in Investigator, grouped by their MITRE ATT&CK categories.

Initial access

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.

The next sections describe the initial access search-based alerts.

Adobe ColdFusion

Detected Adobe ColdFusion CVE-2024-20767 arbitrary file system read.

CVE-2024-20767 is a critical Adobe ColdFusion vulnerability that could lead to arbitrary file system reads. A Proof of Concept exploit has been publicly released. Adobe has released security updates for ColdFusion versions 2021 and 2023 and has made a patch available.

Default severity: 9

Atlassian Preauth RCE

Atlassian Bitbucket CVE-2022-0540 RCE attempt detected.

CVE-2022-0540 is a command injection vulnerability in multiple API endpoints. In this attack, an attacker with access to a public repository or with read permissions to a private Bitbucket repository would be able to execute arbitrary code by sending a malicious HTTP request.

Default severity: 10

Cisco IOS XE Command Execution Attempt

Cisco IOS XE CVE-2023-20273 command execution detected.

The previously unknown vulnerability, which is tracked as CVE-2023-20198, resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks.

Default severity: 10

Cisco IOS XE Software Backdoor

Cisco IOS XE CVE-2023-20198 backdoor detected.

This previously unknown vulnerability, tracked as CVE-2023-20198, resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. This alert detects backdoor activity associated with in-the-wild-exploits observed by Talos.

Default severity: 10

Citrix Netscaler CVE-2023-4966 (CitrixBleed)

Detects successful CVE-2023-4966 Citrix Netscaler exploits over HTTP.

CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA and hijack legitimate user sessions.

Default severity: 10

Confluence Authorization Vulnerability

CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server detected.

All versions of Confluence Data Center and Server are affected by this vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity, and availability.

Default severity: 10

Curl Package Vulnerability

Curl CVE-2023-38545 and CVE-2023-38546

CVE-2023-38545 is a SOCKS5 heap buffer overflow, which makes curl overflow a heap-based buffer in the SOCKS5 proxy handshake. CVE-2023-38546 is a cookie injection which allows an attacker to insert cookies at will into a running program, using libcurl, if a specific series of conditions are met.

Default severity: 10

DApp Injection

Possible Water Labbu cryptocurrency theft attempt detected.

Threat actor Water Labbu capitalizes on social engineering schemes of other scammers, injecting malicious JavaScript code into decentralized application websites of other scammers to steal cryptocurrency.

Default severity: 8

Fortigate RCE CVE-2024-21762

Detects a successful Fortigate Remote Code Execution (RCE) per CVE-2024-21762.

CVE-2024-21762 is an RCE vulnerability in Fortigate FortiOS and FortiProxy. An out-of-bounds write vulnerability in FortiOS and FortiProxy can let a remote unauthenticated attacker execute arbitrary code or command through specially crafted HTTP requests. A Proof of Concept exploit was publically released and Fortigate made a patch available.

Default severity: 10

Fortiguard Auth Bypass

Fortiguard CVE-2022-40684 auth bypass attempt detected.

This vulnerability allows adversaries to bypass authentication and login into target systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products. With these privileges, the adversary may create new users, update or download network/system configurations, reroute traffic, or listen to and capture sensitive data by running packet capturing programs.

Default severity: 10

Fortinet FortiSIEM Command Injection

Detected Fortinet FortiSIEM successful Remote Code Execution (CVE-2024-23108).

CVE-2024-23108 is a Remote Code Execution vulnerability in Fortinet FortiSIEM. Fortigate has made a patch available and a Proof of Concept exploit has been publicly released.

Default severity: 10

Fortinet Key Upload

Fortinac CVE-2022-39952 exploitation attempt detected.

External control of a filename or path in Fortinet FortiNAC may allow an unauthenticated attacker to execute unauthorized code or commands through a specifically crafted HTTP request.

Default severity: 10

Fortra FileCatalyst remote code execution CVE-2024-251538

Detects Fortra FileCatalyst successful remote code execution (CVE-2024-25153).

CVE-2024-25153 is a Remote Code Execution vulnerability in Fortra FileCatalyst. A Proof of Concept exploit has been publically released and Fortra has made a patch available.

Default severity: 9

GeoServer RCE

Detects CVE-2024-36401 GeoServer RCE, which is a Remote Code Execution in GeoServer. Successful exploitation of this vulnerability would allow attackers to execute arbitrary code on the GeoServer host, potentially leading to full server compromise.

Default severity: 10

JetBrains TeamCity Authentication Bypass CVE-2024-27198

Detects systems vulnerable to JetBrains TeamCity Authentication Bypass CVE-2024-27198.

Vulnerability CVE-2024-27198 lets attackers bypass JetBrains authentication using an alternate path or channel. This vulnerability allows for a potential compromise of a vulnerable TeamCity server by a remote unauthenticated attacker. Compromising a TeamCity server gives an attacker full control over all TeamCity projects, builds, agents and artifacts, and could position an attacker to perform unauthenticated remote code execution and a supply chain attack. A patch is available through JetBrains.

Default severity: 9

JetBrains TeamCity Authentication Bypass CVE-2024-27199

Detects systems vulnerable to JetBrains TeamCity Authentication Bypass CVE-2024-27199.

Vulnerability CVE-2024-27199 lets attackers bypass JetBrains authentication using an alternate path or channel. This vulnerability allows for a limited amount of information disclosure and a limited amount of system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing. A patch is available through JetBrains.

Default severity: 8

Kali Presence

A host using the Kali offensive security Linux distribution was detected performing software updates. Attackers may use these software updates to move laterally through the network and/or potentially exfiltrate data.

Kali Linux is an open-source Linux distribution geared toward information security tasks, including penetration testing, security research, computer forensics, and reverse engineering. A host using this distribution may be able to perform lateral movement or data exfiltration.

Default severity: 9

MOVEit Authentication Bypass POST

Detected MOVEit CVE-2024-5806 Authentication bypass ATTEMPT (POST content).

CVE-2024-5806 is an authentication bypass of Progress Software MOVEit. Fortigate has made a patch available and a Proof of Concept exploit has been publicly released. This alert constitutes an ATTEMPT at the CVE-2024-5806 exploit, where the vulnerable parameters are seen in the post_body field.

Default severity: 10

MOVEit Authentication Bypass SSH

Detected MOVEit CVE-2024-5806 Authentication bypass (Paramiko SSH).

CVE-2024-5806 is an authentication bypass of Progress Software MOVEit. Fortigate has made a patch available and a Proof of Concept exploit has been publicly released. This alert constitutes a SUCCESSFUL ATTEMPT at the CVE-2024-5806 exploit, where the Paramiko SSH client (used in the POC) makes a connection to the MOVEit SSH instance. Paramiko is a Python module commonly used in Python based POC exploits involving SSH, and also in many attack tools.

Default severity: 10

OpenSSL Punycode

OpenSSL CVE-2022-3602 exploitation attempt detected.

Exploit CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that has been assessed as critical by the OpenSSL project. Exploitation of this vulnerability may lead to remote code execution.

Default severity: 10

Proxy Not Shell

MS Exchange CVE-2022-41040 / CVE-2022-41082 ProxyNotShell exploitation attempt detected.

ProxyNotShell exploitation of Microsoft Exchange Server 2013, Exchange Server 2016, or Exchange Server 2019 may allow attackers to perform Server-Side Request Forgery or Remote Code Execution. Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

Default severity: 10

RegreSSHion

Detection for CVE-2024-6387 attempts SSH (regreSSHion).

CVE-2024-6387 is a Remote Code Execution in OpenSSH. This alert constitutes an attempt at the CVE-2024-6387 exploit, where the number of SSH analyzer violations that are thought to be produced by an attempt exceed a threshold of 100 in the last hour.

Default severity: 8

ScreenConnect Authentication Bypass CVE-2024-1709

Detects systems vulnerable to ScreenConnect Authentication Bypass CVE-2024-1709.

Critical vulnerability CVE-2024-1709 allows anonymous attackers to exploit an authentication bypass flaw to create admin accounts on publicly exposed instances. Using the system admin role would allow the attacker to delete other users and take over the instance.

Default severity: 10

Sonicwall RCE/DOS CVE-2022-22274 / CVE-2023-0656

Detects systems vulnerable to Sonicwall CVE-2022-22274 and CVE-2023-0656 over HTTP. A stack-based buffer overflow vulnerability in the SonicOS through HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall. This vulnerability only impacts the web management interface, the SonicOS SSLVPN interface is not impacted.

Default severity: 10

Text4Shell

Apache Commons Text CVE-2022-42889 log4text exploitation attempt detected.

In Apache Commons Text, a default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes some lookup keys (script, dns, and url) interpolated by default. Those keys allow an attacker to execute arbitrary code through lookups and possibly perform remote code execution (RCE) to execute arbitrary code on the machine and compromise the entire host.

Default severity: 10

WS_FTP Remote Commands

WS_FTP CVE-2023-40044 RCE attempt detected.

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

Default severity: 10

Command and control

Attackers often use software that is controlled through a mechanism called a C2 (command and control) channel. To avoid detection, malicious software often attempts to obfuscate the C2 traffic to make it look benign. HTTP traffic is very commonly used to carry C2 communications since it easily traverses between most organizations and the internet.

The next sections describe the search-based alerts related to command and control.

AsyncRAT remote access trojan

AsyncRAT is a remote access trojan (RAT) that uses an encrypted C2 channel to allow remote monitoring and control of the infected machine, including keylogging, screen recording, controlling the desktop and webcam, running remote shells, and injecting new payloads.

Default severity: 10

BunnyLoader 1

BunnyLoader C2 communications using known uri and user_agents.

Malware loader BunnyLoader provides functionalities such as downloading and executing malware, stealing browser credentials and system information, keylogging, stealing credentials, and running remote commands on the infected machine.

Default severity: 10

BunnyLoader 2

BunnyLoader C2 communications using known uri parameters.

Malware loader BunnyLoader provides various functionalities such as downloading and executing malware, stealing browser credentials and system information, keylogging, stealing credentials, and running remote commands on the infected machine.

Default severity: 10

Havoc C2

Detects Malware C2 communications associated with Havoc C2. The Havoc command and control (C2) framework includes a variety of modules allowing users to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shell code.

Default severity: 10

Hyperscrape

Possible APT 35 HYPERSCRAPE malware data exfiltration detected.

Default severity: 10

Kolobko

Malware C2 communications associated with Lapsu$/UNC2447/Yanluowang detected.

Default severity: 10

LogScale IoC match: HTTP host

Malicious domain name observed in the host field of HTTP logs.

Default severity: 8

LogScale IoC match: SSL server_name

Malicious domain name observed in the server_name field of SSL logs.

Default severity: 8

Manjusaka C2 search 2

Manjusaka malware C2 communication detected.

Default severity: 10

Manjusaka C2 search 3

Manjusaka malware “keep alive” detected.

Default severity: 10

Mythic C2 Communications

Mythic C2 communications detected.

Mythic is an open source command and control platform for red teaming operations with a variety of agents and supports multiple protocols for C2.

Default severity: 10

Nim Plant C2

NimPlant C2 communications detected.

Default severity: 10

Onion domain

Top level onion domain detected.

Anonymous websites on the Tor network utilize top-level domain .onion, which is accessible only from the Tor anonymity browser. Presence of .onion domains in the logs might indicate the originating system (a potential attacker) is establishing TOR connections and C2 communications to hide the destination of the connections and evade blacklist-based detection.

Default severity: 7

Scanbox

SCANBOX browser exploitation framework traffic detected.

The ScanBox browser exploit starts with phishing emails that include links to a website impersonating Australian media entities such as Australian morning news. Through the phishing attempt, victims visit an infected website, where they would be infected with SCANBOX malware. This detection alerts if visitors clicked the link to the phishing site or if communications occur between the implant and the C2 over HTTP.

Default severity: 10

Sliver GET URI

Sliver exploitation framework network traffic detected.

Default severity: 10

Sliver POST URI

SLIVER exploitation framework network traffic detected.

Default severity: 10

Trojan Android/SmsSpy

Detects Trojan:Android/SmsSpy variants, which intercept incoming SMS messages and forwards them to a remote site.

Default severity: 9

Vidar C2

Malware C2 communications associated with Vidar C2 detected.

Vidar C2 Malware has the ability to collect sensitive information from an infected computer and exfiltrate this data. Vidar may collect a variety of information from infected computers, browsers, and digital wallets including OS data, credentials, and browser history.

Default severity: 10

Credential access

Credential Access consists of techniques for stealing credentials like account names and passwords.

The next sections describe the search-based alerts related to credential access.

Confluence Hardcoded Password

Confluence CVE-2022-26138 hardcoded password usage detected.

Confluence user accounts with hardcoded credentials stored inside the plugin jar file may be created by the Questions for Confluence app. An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. Atlassian has rated the vulnerability critical and highlighted that the vulnerability is being exploited in the wild.

Default severity: 10

Kerberos Weak Ciphers

Kerberos tickets are used to obtain access to resources. If weak encryption such as RC4 is used, it is possible to obtain passwords using attacks such as Kerberoasting. If a user on the network were to attempt to use such a ticket, this search would detect this ticket and generate an alert.

Default severity: 6

Privilege escalation

Privilege escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.

The next section describes the search-based alerts related to privilege escalation.

Confluence Server Privilege Escalation

Potential CVE-2023-22515 attempt, Zero-Day Privilege Escalation in Confluence Server and Data Center.

Default severity: 10