-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfalco-cve-2023-27350.yaml
21 lines (18 loc) · 1.26 KB
/
falco-cve-2023-27350.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
- macro: java_system_command_getRuntime
condition: (evt.arg.data contains 'Runtime' and evt.arg.data contains 'getRuntime' and evt.arg.data contains '.exec%28' )
- macro: java_system_command_processBuilder
condition: (evt.arg.data contains 'ProcessBuilder' and evt.arg.data contains '.start%28')
- macro: papercut_scripting_form_data
condition: (evt.arg.data contains 'service=' and evt.arg.data contains 'printerId=' and evt.arg.data contains 'enablePrintScript=' and evt.arg.data contains 'scriptBody=')
- rule: PaperCut Remote Code Execution CVE-2023-27350 Exploited
desc: Detects the execution of system commands using Papercut App Server. Possible exploitation of CVE-2023-27350.
condition: >
evt.dir=< and
evt.type=read and
papercut_scripting_form_data and
(evt.arg.data contains 'ProcessBuilder.Command%28' or
java_system_command_getRuntime or
java_system_command_processBuilder)
output: "CVE-2023-27350 Remote Code Execution detected (event=%evt.type server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto fd.cip=%fd.cip user.name=%user.name user.loginuid=%user.loginuid parent=%proc.pname process=%proc.name container_id=%container.id)"
priority: CRITICAL
tags: [host,container,exploit,CVE_2023_27350,Papercut,Mitre_Initial_Access, T1190]