by Ivan Vinogradov, Solution Architect, and Bhabesh Rai, Associate Security Analytics Engineer, LogPoint

A recent publication by Cybersecurity and Infrastructure Security Agency (CISA) included a set of top exploited vulnerabilities between 2016 and 2020. The list of vulnerabilities included detailed descriptions, indicators of compromise (IOC), common vulnerabilities and exposures (CVE) IDs and mitigations. Even though there are no new threats in the CISA publication, it provides valuable intelligence in terms of prioritizing areas and what must be addressed with the most urgency. Based on the CISA’s findings, LogPoint has implemented a set of solutions to assist organizations in addressing the vulnerabilities.

The top vulnerabilities described by CISA have the following CVE codes:

Based on the year in the IDs, it’s clear that none of the issues are new. It’s common for threat actors to take advantage of the same vulnerabilities by going after the lowest hanging fruit and avoiding overly complicated, untested approaches. Threat actors are also motivated to return to the same vulnerabilities because organizations are reluctant to frequently update software and deploy new technologies due to the cost. It is difficult to quantify the risk of updating technology in relation to the actual spending required to maintain and replace existing solutions.

LogPoint’s response to CISA’s findings

To help address the vulnerabilities outlined by CISA, LogPoint has developed three ways to gain awareness of the vulnerabilities.

  • A set of alert rules that are tailored to detecting the techniques used by threat actors, which we have verified with our existing alerts.
  • Customized dashboards that provide real-time monitoring of the threats.
  • An ATT&CK-based approach, in which we’ve mapping each of the alerts to specific areas, techniques and tactics listed by MITRE to help organizations relate the vulnerabilities to their overall security posture.

LogPoint has developed 15 new queries and five new dashboards to address the vulnerabilities. Read on for an explanation of the queries and the logic behind them.

CISA Most Exploitable Vulnerabilities LogPoint SIEM Status Graphical Interface

General detection queries

Three of the new queries are dedicated to general detections that address multiple vulnerabilities at once.

The first one is the simplest and detects automated recognition of CVEs by other solutions, most importantly vulnerability management, data from which is required in order for this query to work. More importantly the query can work as a great “jury-rigged” patch to gain at least the most basic, surface-level visibility into the presence of the vulnerabilities.

The query is
norm_id=VulnerabilityManagement cve_id IN MOST_EXPLOITABLE_CVE
where ‘MOST_EXPLOITABLE_CVE’ should hold the list of vulnerability CVE identities.

The next alert takes detection a step deeper, this time using actual intelligence and IOC recognition. If IOCs are available, the alert can work to detect them in the corresponding logs that are forwarded to LogPoint. To query for specific items that would indicate actors that exploit the vulnerabilities, use
norm_id=* (url IN MOST_EXPLOITABLE_DOMAINS OR domain IN MOST_EXPLOITABLE_DOMAINS OR hash IN MOST_EXPLOITABLE_HASHES) host=*
where the capitalized terms are lists containing IOCs. Note that the query requires that you have threat intelligence and logging from as many sources as possible, such as firewalls, webservers, Sysmon and antivirus. Furthermore, the query requires a basic level of threat intelligence such as hashes, malicious domains, email addresses, etc.. If you happen to be lacking it, they are available from open sources, such as LogPoint’s website or MITRE’s database.

The final general detection query helps you detect command and control (CnC) communication characteristic of the threat actors mentioned in CISA’s report.

norm_id=* (destination_address in MOST_EXPLOITABLE_IPS OR receiver IN MOST_EXPLOITABLE_EMAILS) | process eval("IoC=if(receiver) {return "CnC using email communication"}) | process eval("IoC=if(destination_address) {return "CnC using traffic connection"}) | rename source_address as source, destination_address as destination, sender as source, receiver as destination

To make use of this query, the analyst or other relevant technical staff should have a firm understanding of the local network topology, as well as the behavior of the environment and data flows. The capitalized datasets should be based on knowledge of your own resources, and even though you might not be able to mitigate the vulnerabilities immediately, you might be able to introduce a higher level of monitoring to vulnerable systems. The query is also based on the assumption that CnC will take place over certain channels. Again, this might not apply to all use cases, but it introduces a significant improvement to your security posture while using no external resources, only internal mail server and firewall logs.

Queries to search for specific vulnerability exploitations

Now we’ll go through queries that will help you search for signs of specific vulnerability exploitations. The queries are applicable to monitoring, but we advise you to develop a threat hunting effort, even if temporary. You can use the queries in threat hunting until you can address the vulnerabilities at a more fundamental level.

CVE-2019-0604

Our suggested mitigation for CVE-2019-0604 – SharePoint Remote Execution is
norm_id=* request_method=GET url='*layouts*picker.aspx*'
and takes advantage of intelligence regarding the typical use of this exploit. It requires only the logs from a proxy server at a minimum.

CVE-2019-19781

Next comes the query that detects Citrix ADC VPN traversal – CVE-2019-19781. In essence it relies on closer monitoring of activity that may occasionally be normal:
norm_id=* label=Access resource IN ['*vpns*', '*/../*']

Note that the logging requirements are specifically Apache Access Logs from Citrix ADC. If you are getting results that you perceive to be of little use, you should focus the query on this type of logs and judge if the outcome improves.

CVE-2019-11510

The next vulnerability – CVE-2019-11510 – exploits Pulse Secure – which is often not updated due to the complexity and potential complications that come from making changes to data center software. Obviously, the query requires that you have logging coverage of any Pulse Secure resources you may have in the environment.
norm_id=* url IN ['*dana*guacamole*', '*lmdb*data.mdb*', '*data*mtmp/system*']

CVE-2018-7600

CVE-2018-7600 is an arbitrary code execution in Drupal. This type of attack is also often seen in other content management systems – such as WordPress. The attack often relies on the inability of the hosting party to properly configure the system, or their lack of willingness to maintain and update it. The attack type owes is prevalence to a widespread knowledge about it. In order to mitigate the attack using LogPoint, please use the following query:
norm_id=* label=Access request_method=POST resource='*ajax_form*drupal*ajax*'

Web server logs from Drupal are required for the query. Note that the results may be noisy based on activity, so standard tuning policies should be kept in mind while taking advantage of the query.

CVE-2017-11882

The Microsoft Office Memory Corruption – CVE-2017-11882 – is the first of a wide range of vulnerabilities that are introduced and sustained through the presence of outdated Microsoft Office products on the network. The only reliable mitigation for this and other such vulnerabilities is patching, not just in this isolated case, but as a matter of policy. If you cannot do this, but have LogPoint, you can utilize the following query:
norm_id=WindowsSysmon label="Process" label=Create parent_image='*EQNEDT32.EXE' parent_command='*EQNEDT32.EXE*-Embedding' image='*.exe'
to detect this particular CVE. We must point out that Sysmon logs are required for the detection of the query and all other Microsoft vulnerabilities listed in this article.

CVE-2017-5638

CVE-2017-5638 is an Apache vulnerability that allows an attacker to execute code remotely. The vulnerability is typically used to gain initial access to the victim’s environment. Apache Tomcat logs are a necessity for the query to work as intended:
norm_id=ApacheTomcatServer label=Content label=Invalid content_type='*multipart/form-data*#cmd=*'

CVE-2015-1641

CVE-2015-1641 is a vulnerability in Microsoft Office, representing the second vulnerability in MS office that is based on memory corruption. It is applicable to a significant range of Office products – from 2007 to 2013 and reaches all the way from Word to web apps and SharePoint servers.

norm_id=WindowsSysmon label=Image label=Load source_image IN ['*WINWORD.exe', '*EXCEL.exe'] image='*MSVCR71.DLL'

CVE-2017-0199

Detecting CVE-2017-0199 requires access to at least a basic inventory of your assets, and preferably vulnerability scanning data, as it relies on having a list containing the most exploitable IPs.
norm_id=WindowsSysmon label=Network label=Connection image='*WINWORD.exe' destination_address IN MOST_EXPLOITABLE_IPS

CVE-2017-8759

CVE-2017-8759 is a .NET framework remote code execution vulnerability that appears intermittently between the versions of the framework 2.0 – 4.7. We expect the vulnerability to occur in future versions as well, so organization will most likely benefit from have the query as a permanent staple of the environment, regardless of whether or not widespread patching policies are matured.
norm_id=WindowsSysmon label="Process" label=Create parent_image='*WINWORD.exe' parent_command='*.rtf*' image='*csc.exe'

CVE-2018-4878

Another vulnerability relies on the now-infamous Adobe Flash. The software appears to be on its way to being phased out entirely, though if it’s required for production, we recommend you patch it. Otherwise you can stay ahead of the curve by removing it and prohibiting its installation and use in organization-wide technical controls relevant to this scenario. To monitor for CVE-2018-4878 in LogPoint, use the following query:
norm_id=WindowsSysmon label=Image label=Load source_image in ["*winword.exe", "*excel.exe"] image='*Flash32*.ocx'

Similar to the Microsoft vulnerabilities, companies should have a version of Sysmon deployed.

CVE-2017-0143

Windows SMB is a relatively well-known vulnerability source and CVE-2017-0143 has proven a rather long-lived method of exploiting it for the purposes that typically relate to lateral movement across the network. The following query looks for it in LogPoint and, once again, requires you have some idea about what IPs might be the most likely to experience this exploit – at least in the earlier stages of a compromise.

norm_id=WindowsSysmon label=Detect label=Network label=Connection destination_port=445 rule=SMB source_address IN MOST_EXPLOITABLE_IPS

CVE-2012-0158

Finally, we have an ActiveX remote code execution vulnerability – CVE-2012-0158 – which, as one can notice from the CVE ID, has proven to be extremely long-lived and actively exploited by widely known actors, such as Dridex. The vulnerability hits Microsoft products going all the way back to 2003, which is amazing given the fact that the range of the CISA publication is limited to the years 2016-2020. In a sense, the ActiveX vulnerability is one of the best examples of why a patching strategy is considered so essential to an organization’s security. Until a patching strategy is developed and implemented, you can use the following query to put a quick patch on the problem:
norm_id=WindowsSysmon label=Key label="Map" label=Registry target_object='*Software\Microsoft\Office*Resiliency'

Using MITRE ATT&CK to mitigate risk

In the coming month, when LogPoint will deploy the above set of improvements, complete with a full mapping to MITRE ATT&CK, you will be able to immediately achieve a significant value in terms of risk mitigation. Furthermore, the premade alerts come with threat intelligence and scenario testing to make sure that the issues are addressed properly to the fullest extent of the default LogPoint capabilities.

CISA Most Exploitable Vulnerabilities LogPoint Alerts

A sample of LogPoint alerts coming up in this release

Furthermore, we are deploying a graphical representation of the threats, in order to assist with immediate visibility and comprehension of the vulnerabilities on a higher level.

CISA Most Exploitable Vulnerabilities Status Dashboard

An example of a graphical overview covering these vulnerabilities.

Logging requirements are vital for the best level of detection

One important caveat is that logging must be configured carefully to support the above queries. To help you get complete coverage for set of threats, we have compiled the logging requirements.

  • Windows Sysmon Logs (to detect installation of malicious executables and file access. Compare hash values)
  • Antivirus Logs (To detect presence of malicious files/executables)
  • Proxy/Web Server Logs (To detect any communication to malicious resources)
  • Firewall Logs (To detect communication with CnC server IP)
  • Mail Server Logs (Email communication to known malicious attackers)
  • Threat Intelligence Data (Enrichment)
  • Vulnerability Management Data (To detect presence of these vulnerabilities)

The CISA publication is a valuable tool for helping you prioritize your security decisions. The list of log types above and the query overview can serve as a helpful reference to get the optimal setup and quickly addressing the issues.

Contact LogPoint to learn how you can benefit from other updates centered around recent, critical and otherwise relevant security events, as well as an easy-to-understand and well-documented set of existing protections.