Sneed-Reactivity/yara-Neo23x0/expl_ivanti_epmm_mobileiron_cve_2023_35078.yar

54 lines
2 KiB
Text
Raw Permalink Normal View History

rule LOG_EXPL_Ivanti_EPMM_MobileIron_Core_CVE_2023_35078_Jul23_1 {
meta:
description = "Detects the successful exploitation of Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core CVE-2023-35078"
author = "Florian Roth"
reference = "Ivanti Endpoint Manager Mobile (EPMM) CVE-2023-35078 - Analysis Guidance"
date = "2023-07-25"
score = 75
id = "44cca0b5-3851-5786-82fd-ce3ccb566453"
strings:
$xr1 = /\/mifs\/aad\/api\/v2\/[^\n]{1,300} 200 [1-9][0-9]{0,60} /
condition:
$xr1
}
rule MAL_WAR_Ivanti_EPMM_MobileIron_Mi_War_Aug23 {
meta:
description = "Detects WAR file found in the Ivanti EPMM / MobileIron Core compromises exploiting CVE-2023-35078"
author = "Florian Roth"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a"
date = "2023-08-01"
score = 85
hash1 = "6255c75e2e52d779da39367e7a7d4b8d1b3c9c61321361952dcc05819251a127"
id = "cd16cf29-a90d-5c3f-b66f-e9264dbf79fb"
strings:
$s1 = "logsPaths.txt" ascii fullword
$s2 = "keywords.txtFirefox" ascii
condition:
uint16(0) == 0x4b50 and
filesize < 20KB and
all of them
}
rule MAL_WAR_Ivanti_EPMM_MobileIron_LogClear_JAVA_Aug23 {
meta:
description = "Detects LogClear.class found in the Ivanti EPMM / MobileIron Core compromises exploiting CVE-2023-35078"
author = "Florian Roth"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a"
date = "2023-08-01"
score = 80
hash1 = "deb381c25d7a511b9eb936129eeba2c0341cff7f4bd2168b05e40ab2ee89225e"
id = "e1ef3bf3-0107-5ba6-a49f-71e079851a4f"
strings:
$s1 = "logsPaths.txt" ascii fullword
$s2 = "log file: %s, not read" ascii fullword
$s3 = "/tmp/.time.tmp" ascii fullword
$s4 = "readKeywords" ascii fullword
$s5 = "\"---------------- ----------------" ascii fullword
condition:
uint16(0) == 0xfeca and
filesize < 20KB and
4 of them or all of them
}