Potential CVE-2023-27997 Exploitation Indicators

calendar Aug 12, 2024 · cve.2023-27997 attack.initial-access attack.t1190 detection.emerging-threats  ·
Share on: linkedin copy

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-27997 Exploitation Indicators
 2id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
 3status: test
 4description: |
 5    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
 6    To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter    
 7references:
 8    - https://blog.lexfo.fr/Forensics-xortigate-notice.html
 9    - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
10    - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
11    - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
12author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
13date: 2023-07-28
14tags:
15    - cve.2023-27997
16    - attack.initial-access
17    - attack.t1190
18    - detection.emerging-threats
19logsource:
20    category: webserver
21detection:
22    selection_uri:
23        cs-method:
24            - 'GET'
25            - 'POST'
26        cs-uri-query|contains:
27            - '/remote/hostcheck_validate'
28            - '/remote/logincheck'
29    selection_keywords:
30        - 'enc='
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top