Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273)

let PeopleSoftPorts = dynamic([8000, 8443, 443, 80]);
let SuspiciousPaths = dynamic(["/psp/", "/psc/", "/PSIGW/", "/pspc/", "/signon.html", "/PeopleSoftServices/"]);
let AuthBypassPaths = dynamic(["/PSIGW/HttpListeningConnector", "/PSIGW/PeopleSoftServiceListeningConnector", "/psp/ps/EMPLOYEE/HRMS"]);
union DeviceNetworkEvents, CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(24h)
| where (
    (csUriStem has_any (AuthBypassPaths)) or
    (RequestURL has_any (AuthBypassPaths))
  )
| where not(isempty(csUsername) or csUsername == "-" or csUsername == "anonymous")
| extend RequestPath = coalesce(csUriStem, RequestURL, "")
| extend SourceAddress = coalesce(cIP, SourceIP, CallerIpAddress, "")
| extend StatusCode = coalesce(scStatus, EventOutcome, "")
| where StatusCode in ("200", "201", "302") or isempty(StatusCode)
| summarize
    RequestCount = count(),
    DistinctPaths = dcount(RequestPath),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    StatusCodes = make_set(StatusCode),
    Paths = make_set(RequestPath)
  by SourceAddress, bin(TimeGenerated, 5m)
| where RequestCount >= 3
| extend AlertSeverity = "Critical"
| extend Description = "Possible exploitation of CVE-2026-35273: Unauthenticated access to Oracle PeopleSoft critical functions detected"

index=web OR index=iis OR index=proxy sourcetype IN (iis, ms:iis:auto, access_combined, nginx:plus:kv)
| where match(uri_path, "(?i)/PSIGW/|/psp/|/psc/|/pspc/|/PeopleSoftServices/")
| eval is_bypass_path=if(match(uri_path, "(?i)/PSIGW/HttpListeningConnector|/PSIGW/PeopleSoftServiceListeningConnector"), 1, 0)
| eval auth_present=if(isnotnull(username) AND username!="-" AND username!="anonymous", 1, 0)
| eval suspicious=if(is_bypass_path=1 AND (auth_present=0 OR status IN ("200","302")), 1, 0)
| where suspicious=1
| stats
    count as request_count,
    dc(uri_path) as distinct_paths,
    values(uri_path) as paths,
    values(status) as status_codes,
    min(_time) as first_seen,
    max(_time) as last_seen
  by src_ip, host
| where request_count >= 2
| eval severity="critical"
| eval cve="CVE-2026-35273"
| eval description="Unauthenticated access to Oracle PeopleSoft critical function endpoint - possible CVE-2026-35273 exploitation"
| table _time, src_ip, host, request_count, distinct_paths, paths, status_codes, severity, cve, description

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   url.path : ("/PSIGW/*", "/psp/*", "/psc/*", "/PeopleSoftServices/*") and
   (user.name == null or user.name == "-" or user.name == "anonymous") and
   http.response.status_code in (200, 201, 302)]
  [network where event.category == "network" and
   url.path : ("/PSIGW/*", "/psp/*", "/psc/*") and
   http.response.status_code in (200, 201, 302)]

SELECT
  sourceip,
  destinationip,
  destinationport,
  URL,
  username,
  "HTTP Response Code" as response_code,
  COUNT(*) as event_count,
  MIN(starttime) as first_seen,
  MAX(starttime) as last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Apache HTTP Server', 'F5 BIG-IP LTM', 'Nginx')
  AND (
    URL ILIKE '%/PSIGW/%'
    OR URL ILIKE '%/psp/%'
    OR URL ILIKE '%/psc/%'
    OR URL ILIKE '%/PeopleSoftServices/%'
  )
  AND (
    username IS NULL
    OR username = '-'
    OR username = 'anonymous'
  )
  AND "HTTP Response Code" IN ('200', '201', '302')
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') >= DATEADD('day', -1, NOW())
GROUP BY sourceip, destinationip, destinationport, URL, username, response_code
HAVING COUNT(*) >= 2
ORDER BY event_count DESC

_sourceCategory=web/iis OR _sourceCategory=web/apache OR _sourceCategory=proxy/bluecoat
| where %"cs-uri-stem" matches "/PSIGW/*" or %"cs-uri-stem" matches "/psp/*" or %"cs-uri-stem" matches "/psc/*" or %"cs-uri-stem" matches "/PeopleSoftServices/*"
| where isNull(%"cs-username") or %"cs-username" = "-" or %"cs-username" = "anonymous"
| where %"sc-status" in ("200", "201", "302")
| timeslice 5m
| stats
    count as request_count,
    dcount(%"cs-uri-stem") as unique_paths,
    values(%"cs-uri-stem") as accessed_paths,
    values(%"sc-status") as status_codes
  by %"c-ip", _timeslice
| where request_count >= 2
| fields %"c-ip", request_count, unique_paths, accessed_paths, status_codes, _timeslice
| sort by request_count desc

rule cve_2026_35273_peoplesoft_auth_bypass {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects unauthenticated access to Oracle PeopleSoft critical functions - CVE-2026-35273"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2026-35273"
    reference = "https://www.oracle.com/security-alerts/alert-cve-2026-35273.html"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.request_url = /\/PSIGW\/|PSIGWHttpListeningConnector|PeopleSoftServiceListeningConnector/
    not $e.network.http.user_agent = ""
    $e.network.http.response_code = 200 or
    $e.network.http.response_code = 302
    not $e.principal.user.userid = /^[a-zA-Z0-9._%+-]+$/

  condition:
    $e
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| TargetFileName=/(?i)(psigw|psp|psc|PeopleSoftServices)/
  OR HttpUri=/(?i)\/PSIGW\/(HttpListeningConnector|PeopleSoftServiceListeningConnector)/
| eval auth_missing = if(isnull(UserName) OR UserName IN ("-", "anonymous", ""), 1, 0)
| where auth_missing = 1
| where HttpStatusCode IN ("200", "201", "302")
| stats
    count() as request_count,
    dc(HttpUri) as distinct_uris,
    values(HttpUri) as uris_accessed,
    min(timestamp) as first_seen,
    max(timestamp as last_seen
  by RemoteAddressIP4, ComputerName
| where request_count >= 2
| eval alert = "CVE-2026-35273: PeopleSoft unauthenticated critical function access"