Potential CVE-2023-27997 Exploitation Indicators
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
Sigma rule (View on GitHub)
1title: Potential CVE-2023-27997 Exploitation Indicators
2id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
3status: test
4description: |
5 Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
6 To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
7references:
8 - https://blog.lexfo.fr/Forensics-xortigate-notice.html
9 - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
10 - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
11 - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
12author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
13date: 2023/07/28
14tags:
15 - cve.2023.27997
16 - attack.initial_access
17 - attack.t1190
18 - detection.emerging_threats
19logsource:
20 category: webserver
21detection:
22 selection_uri:
23 cs-method:
24 - 'GET'
25 - 'POST'
26 cs-uri-query|contains:
27 - '/remote/hostcheck_validate'
28 - '/remote/logincheck'
29 selection_keywords:
30 - 'enc='
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- Potential CVE-2023-2283 Exploitation
- Potential CVE-2023-25717 Exploitation Attempt
- Potential MOVEit Transfer CVE-2023-34362 Exploitation
- OWASSRF Exploitation Attempt Using Public POC - Webserver
- Potential OWASSRF Exploitation Attempt - Webserver