GitLab SSRF Exploitation (CVE-2021-22175)

union isfuzzy=true
(
    AzureDiagnostics
    | where Category == "ApplicationGatewayAccessLog"
    | where requestUri_s matches regex @"/(import|export|hook|webhook|integrations|api/v4/projects/[0-9]+/import)"
    | where httpStatus_i in (200, 302, 400, 500)
    | extend TargetUrl = tostring(parse_url(requestUri_s))
    | where requestUri_s contains "url=" or requestUri_s contains "remote=" or requestUri_s contains "import_url"
),
(
    CommonSecurityLog
    | where DeviceVendor == "GitLab" or ApplicationProtocol == "HTTP"
    | where RequestURL matches regex @"/(import|hook|webhook|integrations)"
    | where RequestURL contains "169.254.169.254" or RequestURL contains "metadata" or RequestURL contains "internal"
    | extend SSRFIndicator = true
),
(
    W3CIISLog
    | where csUriStem matches regex @"/(import|hook|webhook)"
    | where csUriQuery contains "url=http" or csUriQuery contains "url=https"
    | extend DecodedQuery = url_decode(csUriQuery)
    | where DecodedQuery contains "169.254" or DecodedQuery contains "10." or DecodedQuery contains "192.168." or DecodedQuery contains "localhost"
)
| summarize RequestCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by SourceIP=coalesce(clientIp_s, SourceIP, cIP), TargetEndpoint=coalesce(requestUri_s, RequestURL, csUriStem)
| where RequestCount >= 1
| extend Severity = "High", CVE = "CVE-2021-22175"
| order by RequestCount desc

index=web OR index=gitlab OR index=proxy
(sourcetype=access_combined OR sourcetype=gitlab:access OR sourcetype=nginx:access OR sourcetype=haproxy)
(
    (uri_path IN ("*/import*", "*/hook*", "*/webhook*", "*/integrations*", "*/api/v4/projects/*/import*"))
    OR (uri_query IN ("*url=http*", "*remote=http*", "*import_url=*"))
)
| eval decoded_query=urldecode(uri_query)
| eval ssrf_target=case(
    match(decoded_query, "169\.254\.169\.254"), "AWS_METADATA",
    match(decoded_query, "metadata\.google\.internal"), "GCP_METADATA",
    match(decoded_query, "169\.254\.169\.254|fd00:ec2::254"), "CLOUD_METADATA",
    match(decoded_query, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01]))"), "INTERNAL_RFC1918",
    match(decoded_query, "localhost|127\.0\.0\.1|::1"), "LOOPBACK",
    true(), "EXTERNAL"
)
| where ssrf_target != "EXTERNAL" OR match(decoded_query, "file://|dict://|gopher://|ftp://")
| stats count AS request_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(ssrf_target) AS ssrf_targets, values(uri_path) AS targeted_paths BY src_ip, host
| eval cve="CVE-2021-22175", severity="high"
| sort -request_count

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and event.type == "connection"
   and (
     url.path : ("*/import*", "*/hook*", "*/webhook*", "*/integrations*")
     or url.query : ("*url=http*", "*import_url=*", "*remote=http*")
   )
   and http.response.status_code in (200, 302, 400, 403, 500)
  ]
  [network where event.category == "network"
   and (
     destination.ip : ("169.254.169.254", "127.0.0.1", "10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12")
     or dns.question.name : ("metadata.google.internal", "169.254.169.254")
   )
   and source.ip : ("*gitlab*") 
  ]

SELECT
    sourceip,
    destinationip,
    URL,
    "HTTP Method" AS http_method,
    "HTTP Response Code" AS response_code,
    QIDNAME(qid) AS event_name,
    logsourcename(logsourceid) AS log_source,
    starttime,
    COUNT(*) OVER (PARTITION BY sourceip) AS request_count
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('GitLab', 'Apache HTTP Server', 'nginx', 'HAProxy')
    AND (
        URL IMATCHES '.*/(import|hook|webhook|integrations|api/v4/projects/\\d+/import).*'
        OR URL IMATCHES '.*(url=http|import_url=|remote=http).*'
    )
    AND (
        URL IMATCHES '.*(169\\.254\\.169\\.254|metadata\\.google\\.internal|localhost|127\\.0\\.0\\.1).*'
        OR URL IMATCHES '.*(file://|gopher://|dict://|ftp://).*'
        OR destinationip INCIDR '169.254.0.0/16'
        OR destinationip INCIDR '10.0.0.0/8'
        OR destinationip INCIDR '192.168.0.0/16'
    )
    AND DATEFORMAT(starttime, 'yyyy-MM-dd') >= DATEADD('day', -7, NOW())
GROUP BY sourceip, destinationip, URL, http_method, response_code, event_name, log_source, starttime
ORDER BY starttime DESC
LIMIT 500

_sourceCategory=gitlab/access OR _sourceCategory=nginx/access OR _sourceCategory=web/proxy
| parse regex "(?<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) .* \"(?:GET|POST|PUT|PATCH) (?<uri_path>[^\s?]+)(?:\\?(?<uri_query>[^\s]*))? HTTP" nodrop
| parse regex "\"(?<status_code>\\d{3})\"" nodrop
| where uri_path matches "*/import*" or uri_path matches "*/hook*" or uri_path matches "*/webhook*" or uri_path matches "*/integrations*"
| urldecode(uri_query) as decoded_query
| where decoded_query matches "*169.254.169.254*" or decoded_query matches "*metadata.google.internal*" or decoded_query matches "*localhost*" or decoded_query matches "*127.0.0.1*" or decoded_query matches "*10.*" or decoded_query matches "*192.168.*" or decoded_query matches "*file://*" or decoded_query matches "*gopher://*"
| eval ssrf_type = if(decoded_query matches "*169.254*", "CLOUD_METADATA", if(decoded_query matches "*localhost*" or decoded_query matches "*127.0*", "LOOPBACK", "INTERNAL_NETWORK"))
| count by src_ip, uri_path, ssrf_type, status_code
| sort by _count desc

rule gitlab_ssrf_cve_2021_22175 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects SSRF exploitation attempts against GitLab CVE-2021-22175"
    severity = "HIGH"
    priority = "HIGH"
    cve = "CVE-2021-22175"
    mitre_attack = "T1190"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.target.application = /gitlab/i
    (
      $req.target.url.path = /\/(import|hook|webhook|integrations)/ or
      $req.target.url.query = /url=http/ or
      $req.target.url.query = /import_url=/ or
      $req.target.url.query = /remote=http/
    )
    (
      $req.target.url.query = /169\.254\.169\.254/ or
      $req.target.url.query = /metadata\.google\.internal/ or
      $req.target.url.query = /localhost/ or
      $req.target.url.query = /127\.0\.0\.1/ or
      $req.target.url.query = /file:\/\// or
      $req.target.url.query = /gopher:\/\// or
      $req.target.url.query = /dict:\/\//
    )
    $req.principal.ip = $src_ip

  match:
    $src_ip over 5m

  outcome:
    $risk_score = 75
    $event_count = count_distinct($req.metadata.id)
    $targeted_paths = array_distinct($req.target.url.path)

  condition:
    $req
}

#event_simpleName=NetworkReceiveAccept OR #event_simpleName=NetworkConnectIP4
| filter (RemotePort in [80, 443, 8080, 8443] OR LocalPort in [80, 443, 3000, 8080])
| filter (
    HttpPath = /\/(import|hook|webhook|integrations|api\/v4\/projects\/\d+\/import)/
    OR HttpQueryString = /url=http|import_url=|remote=http/
  )
| eval ssrf_indicator = case(
    match(HttpQueryString, "169\\.254\\.169\\.254"), "AWS_METADATA_ENDPOINT",
    match(HttpQueryString, "metadata\\.google\\.internal"), "GCP_METADATA_ENDPOINT",
    match(HttpQueryString, "localhost|127\\.0\\.0\\.1"), "LOOPBACK_ADDRESS",
    match(HttpQueryString, "file://|gopher://|dict://"), "DANGEROUS_SCHEME",
    match(RemoteIP, "^(10\\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01]))"), "INTERNAL_RFC1918",
    true(), null
  )
| filter ssrf_indicator != null
| stats count() AS request_count, earliest(timestamp) AS first_seen, latest(timestamp) AS last_seen, values(ssrf_indicator) AS ssrf_types, values(HttpPath) AS paths BY RemoteIP, LocalIP, ComputerName
| eval cve = "CVE-2021-22175"
| sort -request_count