Pulse Meter
This is a work in progress for parsing the System Snapshot from an Ivanti Connect Secure applicance to identify possible IOCs related to CVE-2023-46805 and CVE-2024-21887.
Caveat: I've only tried this on my test appliance and also the Yara rules kind of suck. They are designed specifically to check for malicious activity since 2024-01-01, which may not provide full coverage. It may also raise false positives so it's best to check manually to verify any results.
We're kind of limited with what can be done with the output of the System Snapshot, but it does contain some handy information, such as netstat output, and file names.
My hope is that by sharing this, more experienced defenders can contribute with Yara rules / detection logic.
Running
First you will need to install the dependencies:
python -m venv env
source env/bin/activate
pip install -r requirements.txt
Now you will need to get hold of a System Snapshot from your Ivanti/Pulse Connect Secure appliance.
You can do this by logging into the admin interface and going to /dana-admin/dump/dump.cgi.
From here, click the "Take Snapshot" button, wait for it to complete and then download the "Admin generated snapshot" file.
Once you have the snapshot, you can run the script like this:
> python .\pulse-meter.py parse .\pulsesecure-state-admin-localhost2-7-20240115-193030.encrypted
2024-01-16 19:08:24,511 - INFO - Parsing snapshot file: .\pulsesecure-state-admin-localhost2-7-20240115-193030.encrypted
2024-01-16 19:08:24,542 - DEBUG - Decrypted Snapshot
2024-01-16 19:08:24,577 - CRITICAL - [Yara IOC] Rule: Ivanti_ICT_Tool_Detection (Detects when the Ivanti Integrity Checker Tool (ICT) has previously logged a detection on the device)
2024-01-16 19:08:24,577 - CRITICAL - [Yara IOC] Rule: Modified_CompCheckResult_CGI (Detects compcheckresult.cgi modified since 2024-01-01)
2024-01-16 19:08:24,577 - CRITICAL - [Yara IOC] Rule: Modified_LastServerUsed_CGI (Detects modified lastauthserverused.js modified since 2024-01-01)
2024-01-16 19:08:24,577 - CRITICAL - [Yara IOC] Rule: Modified_CAV_Server (Detects modified cav-0.1-py3.6.egg modified since 2024-01-01)
2024-01-16 19:08:24,577 - CRITICAL - [Yara IOC] Rule: SessionServer_Webshell_Tool (Detects the sessionserver.sh script which is used to deploy a webshell and evade detection from ICT)
References
- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis