Create CVE-2024-47575.yaml

http/cves/2024/CVE-2024-47575.yaml

@@ -0,0 +1,146 @@
+id: CVE-2024-47575
+
+info:
+  name: FortiManager CVE-2024-47575 IoC Detection
+  author: zelosleone
+  severity: critical
+  description: |
+    Detects Indicators of Compromise (IoCs) associated with CVE-2024-47575 in FortiManager. Dynamically retrieves device serial numbers and matches specific log entries, IP addresses, and known malicious files.
+  references:
+    - https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-47575
+    - https://fortiguard.fortinet.com/psirt/FG-IR-24-423
+  classification:
+    cve-id: CVE-2024-47575
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    epss-score: 0.88627
+    epss-percentile: 0.98834
+  tags:
+    - cve2024
+    - fortinet
+    - fortimanager
+    - ioc
+
+variables:
+  username: "{{username}}"
+  password: "{{password}}"
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/jsonrpc"
+    body:
+      id: 1
+      method: exec
+      params:
+        - data:
+            user: "{{username}}"
+            passwd: "{{password}}"
+          url: /sys/login/user
+    headers:
+      Content-Type: application/json
+    extractors:
+      - type: regex
+        name: session
+        part: body
+        regex:
+          - '"session":"(\w+)"'
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/jsonrpc"
+    body:
+      id: 2
+      method: get
+      params:
+        - url: /dvmdb/device
+    headers:
+      Content-Type: application/json
+    matchers:
+      - type: regex
+        name: SerialNumbers
+        regex:
+          - '"sn":"FMG-VMTM23017412"'
+          - '"sn":"FMG-VMTM19008093"'
+          - '"sn":"FGVMEVWG8YMT3R63"'
+    extractors:
+      - type: regex
+        name: serial_numbers
+        part: body
+        regex:
+          - '"sn":"(\w+)"'
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/jsonrpc"
+    body:
+      id: 3
+      method: get
+      params:
+        - url: /log/device
+          filter:
+            - type: event
+            - subtype: dvm
+            - pri: information
+            - msg: "Unregistered device localhost add succeeded"
+    headers:
+      Content-Type: application/json
+    matchers-condition: or
+    matchers:
+      - type: regex
+        name: AddDeviceLog
+        regex:
+          - 'type=event,subtype=dvm,pri=information.*"Unregistered device localhost add succeeded"'
+      - type: regex
+        name: ModifyDeviceLog
+        regex:
+          - 'type=event,subtype=dvm,pri=notice.*"Edited device settings \(SN FMG-VMTM23017412\)"'
+      - type: regex
+        name: SerialNumbers
+        regex:
+          - "FMG-VMTM23017412"
+          - "FMG-VMTM19008093"
+          - "FGVMEVWG8YMT3R63"
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/jsonrpc"
+    body:
+      id: 4
+      method: get
+      params:
+        - url: /sys/status
+    headers:
+      Content-Type: application/json
+    matchers-condition: or
+    matchers:
+      - type: regex
+        name: SuspiciousIPs
+        regex:
+          - '45\.32\.41\.202'
+          - '104\.238\.141\.143'
+          - '158\.247\.199\.37'
+          - '45\.32\.63\.2'
+          - '80\.66\.196\.199'
+          - '198\.199\.122\.22'
+          - '142\.93\.177\.233'
+          - '195\.85\.114\.78'
+          - '172\.232\.167\.68'
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/jsonrpc"
+    body:
+      id: 5
+      method: get
+      params:
+        - url: /sys/file
+          filter:
+            - path: /tmp/.tm
+            - path: /var/tmp/.tm
+    headers:
+      Content-Type: application/json
+    matchers:
+      - type: status
+        status: [200]