Search-based alerts¶
Search-based alerts are generated by Corelight-defined log search queries. The Corelight Labs team creates these alerts using LogScale searches, correlating threat indicators from the logs. This type of alert provides expanded coverage and rapid response.
You can find more information for each search-based alert by clicking the alert name in the Alert Catalog. The alert details provide a summary and suggest next steps for each detection to guide your investigation and troubleshooting.
The search-based alerts described in the following sections are available in Investigator, grouped by their MITRE ATT&CK categories.
Initial access¶
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.
The next sections describe the initial access search-based alerts.
Atlassian Preauth RCE¶
Atlassian Bitbucket CVE-2022-0540 RCE attempt detected.
CVE-2022-0540 is a command injection vulnerability in multiple API endpoints. In this attack, an attacker with access to a public repository or with read permissions to a private Bitbucket repository would be able to execute arbitrary code by sending a malicious HTTP request.
Default severity: 10
Cisco IOS XE Command Execution Attempt¶
Cisco IOS XE CVE-2023-20273 command execution detected.
The previously unknown vulnerability, which is tracked as CVE-2023-20198, resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks.
Default severity: 10
Cisco IOS XE Software Backdoor¶
Cisco IOS XE CVE-2023-20198 backdoor detected.
This previously unknown vulnerability, tracked as CVE-2023-20198, resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. This alert detects backdoor activity associated with in-the-wild-exploits observed by Talos.
Default severity: 10
Citrix Netscaler CVE-2023-4966 (CitrixBleed)¶
Detects successful CVE-2023-4966 Citrix Netscaler exploits over HTTP.
CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA and hijack legitimate user sessions.
Default severity: 10
Curl Package Vulnerability¶
Curl CVE-2023-38545 and CVE-2023-38546
CVE-2023-38545 is a SOCKS5 heap buffer overflow, which makes curl overflow a heap-based buffer in the SOCKS5 proxy handshake. CVE-2023-38546 is a cookie injection which allows an attacker to insert cookies at will into a running program, using libcurl, if a specific series of conditions are met.
Default severity: 10
DApp Injection¶
Possible Water Labbu cryptocurrency theft attempt detected.
Threat actor Water Labbu capitalizes on social engineering schemes of other scammers, injecting malicious JavaScript code into decentralized application websites of other scammers to steal cryptocurrency.
Default severity: 8
Fortigate RCE CVE-2024-21762¶
Detects a successful Fortigate Remote Code Execution (RCE) per CVE-2024-21762.
CVE-2024-21762 is an RCE vulnerability in Fortigate FortiOS and FortiProxy. An out-of-bounds write vulnerability in FortiOS and FortiProxy can let a remote unauthenticated attacker execute arbitrary code or command through specially crafted HTTP requests. A Proof of Concept exploit was publically released and Fortigate made a patch available.
Default severity: 10
Fortiguard Auth Bypass¶
Fortiguard CVE-2022-40684 auth bypass attempt detected.
This vulnerability allows adversaries to bypass authentication and login into target systems as an administrator in FortiOS / FortiProxy / FortiSwitchManager products. With these privileges, the adversary may create new users, update or download network/system configurations, reroute traffic, or listen to and capture sensitive data by running packet capturing programs.
Default severity: 10
Fortinet Key Upload¶
Fortinac CVE-2022-39952 exploitation attempt detected.
External control of a filename or path in Fortinet FortiNAC may allow an unauthenticated attacker to execute unauthorized code or commands through a specifically crafted HTTP request.
Default severity: 10
Fortra FileCatalyst remote code execution CVE-2024-251538¶
Detects Fortra FileCatalyst successful remote code execution (CVE-2024-25153).
CVE-2024-25153 is a Remote Code Execution vulnerability in Fortra FileCatalyst. A Proof of Concept exploit has been publically released and Fortra has made a patch available.
Default severity: 9
JetBrains TeamCity Authentication Bypass CVE-2024-27198¶
Detects systems vulnerable to JetBrains TeamCity Authentication Bypass CVE-2024-27198.
Vulnerability CVE-2024-27198 lets attackers bypass JetBrains authentication using an alternate path or channel. This vulnerability allows for a potential compromise of a vulnerable TeamCity server by a remote unauthenticated attacker. Compromising a TeamCity server gives an attacker full control over all TeamCity projects, builds, agents and artifacts, and could position an attacker to perform unauthenticated remote code execution and a supply chain attack. A patch is available through JetBrains.
Default severity: 9
JetBrains TeamCity Authentication Bypass CVE-2024-27199¶
Detects systems vulnerable to JetBrains TeamCity Authentication Bypass CVE-2024-27199.
Vulnerability CVE-2024-27199 lets attackers bypass JetBrains authentication using an alternate path or channel. This vulnerability allows for a limited amount of information disclosure and a limited amount of system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing. A patch is available through JetBrains.
Default severity: 8
Kali Presence¶
A host using the Kali offensive security Linux distribution was detected performing software updates. Attackers may use these software updates to move laterally through the network and/or potentially exfiltrate data.
Kali Linux is an open-source Linux distribution geared toward information security tasks, including penetration testing, security research, computer forensics, and reverse engineering. A host using this distribution may be able to perform lateral movement or data exfiltration.
Default severity: 9
OpenSSL Punycode¶
OpenSSL CVE-2022-3602 exploitation attempt detected.
Exploit CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that has been assessed as critical by the OpenSSL project. Exploitation of this vulnerability may lead to remote code execution.
Default severity: 10
Proxy Not Shell¶
MS Exchange CVE-2022-41040 / CVE-2022-41082 ProxyNotShell exploitation attempt detected.
ProxyNotShell exploitation of Microsoft Exchange Server 2013, Exchange Server 2016, or Exchange Server 2019 may allow attackers to perform Server-Side Request Forgery or Remote Code Execution. Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
Default severity: 10
ScreenConnect Authentication Bypass CVE-2024-1709¶
Detects systems vulnerable to ScreenConnect Authentication Bypass CVE-2024-1709.
Critical vulnerability CVE-2024-1709 allows anonymous attackers to exploit an authentication bypass flaw to create admin accounts on publicly exposed instances. Using the system admin role would allow the attacker to delete other users and take over the instance.
Default severity: 10
Sonicwall RCE/DOS CVE-2022-22274 / CVE-2023-0656¶
Detects systems vulnerable to Sonicwall CVE-2022-22274 and CVE-2023-0656 over HTTP. A stack-based buffer overflow vulnerability in the SonicOS through HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall. This vulnerability only impacts the web management interface, the SonicOS SSLVPN interface is not impacted.
Default severity: 10
Text4Shell¶
Apache Commons Text CVE-2022-42889 log4text exploitation attempt detected.
In Apache Commons Text, a default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes some lookup keys (script, dns, and url) interpolated by default. Those keys allow an attacker to execute arbitrary code through lookups and possibly perform remote code execution (RCE) to execute arbitrary code on the machine and compromise the entire host.
Default severity: 10
WS_FTP Remote Commands¶
WS_FTP CVE-2023-40044 RCE attempt detected.
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Default severity: 10
Command and control¶
Attackers often use software that is controlled through a mechanism called a C2 (command and control) channel. To avoid detection, malicious software often attempts to obfuscate the C2 traffic to make it look benign. HTTP traffic is very commonly used to carry C2 communications since it easily traverses between most organizations and the internet.
The next sections describe the search-based alerts related to command and control.
AsyncRAT remote access trojan¶
AsyncRAT is a remote access trojan (RAT) that uses an encrypted C2 channel to allow remote monitoring and control of the infected machine, including keylogging, screen recording, controlling the desktop and webcam, running remote shells, and injecting new payloads.
Default severity: 10
BunnyLoader 1¶
BunnyLoader C2 communications using known uri and user_agents.
Malware loader BunnyLoader provides functionalities such as downloading and executing malware, stealing browser credentials and system information, keylogging, stealing credentials, and running remote commands on the infected machine.
Default severity: 10
BunnyLoader 2¶
BunnyLoader C2 communications using known uri parameters.
Malware loader BunnyLoader provides various functionalities such as downloading and executing malware, stealing browser credentials and system information, keylogging, stealing credentials, and running remote commands on the infected machine.
Default severity: 10
Hyperscrape¶
Possible APT 35 HYPERSCRAPE malware data exfiltration detected.
Default severity: 10
Kolobko¶
Malware C2 communications associated with Lapsu$/UNC2447/Yanluowang detected.
Default severity: 10
Manjusaka C2 search 2¶
Manjusaka malware C2 communication detected.
Default severity: 10
Manjusaka C2 search 3¶
Manjusaka malware “keep alive” detected.
Default severity: 10
Nim Plant C2¶
NimPlant C2 communications detected.
Default severity: 10
Onion domain¶
Top level onion domain detected.
Anonymous websites on the Tor network utilize top-level domain .onion, which is accessible only from the Tor anonymity browser. Presence of .onion domains in the logs might indicate the originating system (a potential attacker) is establishing TOR connections and C2 communications to hide the destination of the connections and evade blacklist-based detection.
Default severity: 7
Scanbox¶
SCANBOX browser exploitation framework traffic detected.
The ScanBox browser exploit starts with phishing emails that include links to a website impersonating Australian media entities such as Australian morning news. Through the phishing attempt, victims visit an infected website, where they would be infected with SCANBOX malware. This detection alerts if visitors clicked the link to the phishing site or if communications occur between the implant and the C2 over HTTP.
Default severity: 10
Sliver GET URI¶
Sliver exploitation framework network traffic detected.
Default severity: 10
Sliver POST URI¶
SLIVER exploitation framework network traffic detected.
Default severity: 10
Vidar C2¶
Malware C2 communications associated with Vidar C2 detected.
Vidar C2 Malware has the ability to collect sensitive information from an infected computer and exfiltrate this data. Vidar may collect a variety of information from infected computers, browsers, and digital wallets including OS data, credentials, and browser history.
Default severity: 10
Credential access¶
Credential Access consists of techniques for stealing credentials like account names and passwords.
The next sections describe the search-based alerts related to credential access.
Confluence Hardcoded Password¶
Confluence CVE-2022-26138 hardcoded password usage detected.
Confluence user accounts with hardcoded credentials stored inside the plugin jar file may be created by the Questions for Confluence app. An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. Atlassian has rated the vulnerability critical and highlighted that the vulnerability is being exploited in the wild.
Default severity: 10
Kerberos Weak Ciphers¶
Kerberos tickets are used to obtain access to resources. If weak encryption such as RC4 is used, it is possible to obtain passwords using attacks such as Kerberoasting. If a user on the network were to attempt to use such a ticket, this search would detect this ticket and generate an alert.
Default severity: 6
Privilege escalation¶
Privilege escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.
The next section describes the search-based alerts related to privilege escalation.
Confluence Server Privilege Escalation¶
Potential CVE-2023-22515 attempt, Zero-Day Privilege Escalation in Confluence Server and Data Center.
Default severity: 10