SimpleHelp Path Traversal Vulnerability (CVE-2024-57728)

union DeviceNetworkEvents, DeviceProcessEvents, CommonSecurityLog
| where TimeGenerated > ago(7d)
| where (
    (ActionType == "NetworkConnectionInitiated" and (RemotePort == 80 or RemotePort == 443 or RemotePort == 5850 or RemotePort == 5951))
    or (DeviceName has_any ("simplehelp", "SimpleHelp"))
    or (ProcessCommandLine has_any ("/../", "/..", "%2e%2e", "%2f%2e%2e", "..%2f", "%252e%252e"))
  )
| extend PathTraversalIndicator = case(
    ProcessCommandLine has_any ("/../", "/..", "%2e%2e%2f", "%2f%2e%2e", "..%2f", "%252e%252e%252f"), "URL Encoded Path Traversal",
    RequestURL has_any ("/../", "/..", "%2e%2e", "%252e%252e"), "HTTP Path Traversal",
    "Unknown"
  )
| where PathTraversalIndicator != "Unknown"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, RemoteIP, RemotePort, RequestURL, PathTraversalIndicator
| order by TimeGenerated desc

index=* sourcetype IN ("access_combined", "iis", "nginx:plus:kv", "apache:access", "simplehelp") earliest=-7d
| eval decoded_uri=urldecode(uri)
| eval decoded_uri=urldecode(decoded_uri)
| where match(decoded_uri, "(\.\./|%2e%2e%2f|%252e%252e|\.\.%2f|\.\./\.\.)")
    OR match(uri, "(%2e%2e|%252e%252e|\.\.%2f|%2f%2e%2e)")
| eval traversal_depth=mvcount(split(decoded_uri, "../")) - 1
| eval severity=case(
    traversal_depth >= 4, "critical",
    traversal_depth >= 2, "high",
    traversal_depth >= 1, "medium",
    true(), "low"
  )
| eval target_file=mvindex(split(decoded_uri, "/"), -1)
| eval suspicious_target=if(match(target_file, "(passwd|shadow|web\.xml|config|credentials|id_rsa|\.env|application\.properties)"), "YES", "NO")
| stats count as request_count, values(decoded_uri) as traversal_uris, values(clientip) as source_ips, max(severity) as max_severity, values(suspicious_target) as suspicious_targets by host, status
| where request_count > 0
| sort - request_count

sequence by host.name with maxspan=5m
  [network where event.type == "connection" and
   (destination.port == 5850 or destination.port == 5951 or destination.port == 443 or destination.port == 80) and
   network.direction == "ingress"]
  [process where event.type == "start" and
   (process.name in ("java.exe", "java") or process.parent.name in ("java.exe", "java")) and
   (process.args : ("*../*", "*..\\*", "*%2e%2e*", "*%252e*") or
    process.command_line : ("*/../*", "*\\..\\*", "*%2e%2e%2f*"))]
| head 200

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
  sourceip,
  destinationip,
  destinationport,
  URL,
  username,
  QIDNAME(qid) as event_name,
  logsourcename(logSourceId) as log_source,
  'CVE-2024-57728' as cve_reference
FROM events
WHERE
  starttime > NOW() - 7 DAYS
  AND (
    URL IMATCHES '.*(%2e%2e|%252e%252e|\.\./|\.\.%2f|%2f%2e%2e).*'
    OR UTF8(payload) IMATCHES '.*(\.\./|\.\.\\/|%2e%2e%2f|%252e%252e%252f).*'
  )
  AND (
    destinationport IN (80, 443, 5850, 5951)
    OR logsourcename(logSourceId) IMATCHES '.*simplehelp.*'
  )
ORDER BY starttime DESC
LIMIT 1000

_sourceCategory=webserver* OR _sourceCategory=simplehelp*
| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "\"(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH) (?<request_uri>[^\"]+)\"" nodrop
| where request_uri matches "*../*" OR request_uri matches "*%2e%2e*" OR request_uri matches "*%252e%252e*" OR request_uri matches "*..%2f*" OR request_uri matches "*%2f%2e%2e*"
| urldecode(request_uri) as decoded_uri
| urldecode(decoded_uri) as double_decoded_uri
| if(double_decoded_uri matches "*/etc/passwd*" OR double_decoded_uri matches "*/etc/shadow*" OR double_decoded_uri matches "*web.xml*" OR double_decoded_uri matches "*credentials*" OR double_decoded_uri matches "*id_rsa*", "CRITICAL", "HIGH") as alert_priority
| count as hit_count by client_ip, decoded_uri, alert_priority
| sort by hit_count desc

rule CVE_2024_57728_SimpleHelp_PathTraversal {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects path traversal exploitation of CVE-2024-57728 in SimpleHelp"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-57728"
    cve = "CVE-2024-57728"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.target.port = /^(80|443|5850|5951)$/
    (
      $http.target.url = /(\.\.\/|%2e%2e%2f|%252e%252e|\.\.%2f|%2f%2e%2e)/i or
      $http.network.http.request_url = /(\.\.\/|%2e%2e%2f|%252e%252e|\.\.%2f)/i
    )

  condition:
    $http
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| case {
    #event_simpleName=NetworkConnectIP4 |
      RemotePort in (80, 443, 5850, 5951) |
      rename RemoteIP as target_ip, RemotePort as target_port;
    #event_simpleName=ProcessRollup2 |
      CommandLine = /(\.\.\/|%2e%2e|%252e%252e|\.\.%2f|%2f%2e%2e)/i |
      rename CommandLine as suspicious_cmdline
  }
| search suspicious_cmdline != null OR (target_port in (5850, 5951))
| eval traversal_detected = if(match(suspicious_cmdline, "(\.\./|%2e%2e|%252e%252e)"), "YES", "NO")
| eval sensitive_file_target = if(match(suspicious_cmdline, "(passwd|shadow|web\.xml|\.env|id_rsa|credentials|config)"), "YES", "NO")
| stats count as event_count, values(suspicious_cmdline) as commands, values(target_ip) as targets by aid, ComputerName, traversal_detected, sensitive_file_target
| where traversal_detected = "YES"
| sort - event_count