Potential CVE-2023-27997 Exploitation Indicators

calendar Oct 26, 2023 · cve.2023.27997 attack.initial_access attack.t1190 detection.emerging_threats  ·
Share on: linkedin copy

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-27997 Exploitation Indicators
 2id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
 3status: experimental
 4description: |
 5    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
 6    To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter    
 7references:
 8    - https://blog.lexfo.fr/Forensics-xortigate-notice.html
 9    - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
10    - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
11    - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
12author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
13date: 2023/07/28
14tags:
15    - cve.2023.27997
16    - attack.initial_access
17    - attack.t1190
18    - detection.emerging_threats
19logsource:
20    category: webserver
21detection:
22    selection_uri:
23        cs-method:
24            - 'GET'
25            - 'POST'
26        cs-uri-query|contains:
27            - '/remote/hostcheck_validate'
28            - '/remote/logincheck'
29    selection_keywords:
30        - 'enc='
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top