Last active
May 10, 2022 08:31
-
-
Save axon-git/7c24aacb01fee0a77ad2c654042d115b to your computer and use it in GitHub Desktop.
Threat hunting queries for CVE-2022-1388
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Scanning activity: | |
-- Cloudflare: Suspected command execution using F5 BIG-IP iControl Rest API (CVE-2022-1388) | |
SELECT EDGE_START_TIMESTAMP, | |
CLIENT_REQUEST_HOST, | |
CLIENT_REQUEST_PATH, | |
CLIENT_REQUEST_REFERER, | |
CLIENT_REQUEST_METHOD, | |
ORIGIN_IP, | |
CLIENT_REQUEST_USER_AGENT, | |
ORIGIN_RESPONSE_STATUS | |
FROM RAW.CLOUDFLARE_HTTP | |
WHERE CLIENT_REQUEST_URI ILIKE '%/mgmt/tm/util/bash%' AND | |
CLIENT_REQUEST_METHOD='POST' AND | |
-- CVE-2022-1388 disclosed on May 4, 2022 | |
EDGE_START_TIMESTAMP > '2022-05-03 00:00:00'; | |
-- AWS WAF: Suspected command execution using F5 BIG-IP iControl Rest API (CVE-2022-1388) | |
SELECT EVENT_TIME, | |
HTTP_REQUEST_CLIENT_IP, | |
HTTP_REQUEST_COUNTRY, | |
HTTP_REQUEST_HEADERS, | |
ACTION | |
FROM RAW.AWS_WAF | |
WHERE HTTP_REQUEST_URI ILIKE '%/mgmt/tm/util/bash%' AND | |
HTTP_REQUEST_HTTP_METHOD='POST' AND | |
-- CVE-2022-1388 disclosed on May 4, 2022 | |
EVENT_TIME > '2022-05-03 00:00:00'; | |
-- PAN FIREWALL THREAT ACTIVITY: Suspected command execution using F5 BIG-IP iControl Rest API (CVE-2022-1388) | |
SELECT RECEIVE_TIME, | |
TYPE, | |
SOURCE_IP, | |
DESTINATION_LOCATION, | |
DESTINATION_IP, | |
RULE_NAME, | |
URL_FILENAME, | |
USER_AGENT, | |
FROM RAW.PAN_FIREWALL_THREAT | |
WHERE URL_FILENAME ILIKE '%/mgmt/tm/util/bash%' AND | |
HTTP_METHOD='post' AND | |
-- CVE-2022-1388 disclosed on May 4, 2022 | |
GENERATED_TIME > '2022-05-03 00:00:00' | |
Successful exploitation: | |
-- Cloudflare: Suspected successful command execution using F5 BIG-IP iControl Rest API (CVE-2022-1388) | |
SELECT EDGE_START_TIMESTAMP, | |
CLIENT_REQUEST_HOST, | |
CLIENT_REQUEST_PATH, | |
CLIENT_REQUEST_REFERER, | |
CLIENT_REQUEST_METHOD, | |
ORIGIN_IP, | |
CLIENT_REQUEST_USER_AGENT, | |
ORIGIN_RESPONSE_STATUS | |
FROM RAW.CLOUDFLARE_HTTP | |
WHERE CLIENT_REQUEST_URI ILIKE '%/mgmt/tm/util/bash%' AND | |
ORIGIN_RESPONSE_STATUS='200' AND | |
CLIENT_REQUEST_METHOD='POST' AND | |
-- CVE-2022-1388 disclosed on May 4, 2022 | |
EDGE_START_TIMESTAMP > '2022-05-03 00:00:00'; | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment