Checks for exploitation of vRealize Log Insight VMSA-2023-0001 exploitation artifacts. The presence of a path traversal in the FileName field is evidence of compromise. There is still a path to exploitation without leveraging the path traversal vuln. Any attempt to run REMOTE_PAK_DOWNLOAD_COMMAND from a non-vRealize server is malicious. #VMWare #vRealize #exploit
name: Linux.Detection.vRealizeLogInsightExploitation
author: ACEResponder.com
description: |
Checks for exploitation of vRealize Log Insight VMSA-2023-0001 exploitation
artifacts. The presence of a path traversal in the FileName field
is evidence of compromise. There is still a path to exploitation without
leveraging the path traversal vuln. Any attempt to run
REMOTE_PAK_DOWNLOAD_COMMAND from a non-vRealize server is malicious.
#VMWare #vRealize #exploit
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
sources:
- precondition:
SELECT OS From info() where OS =~ 'linux'
query: |
-- Get runtime.log
Let lines = SELECT split(string=Data,sep='\\r?\\n|\\r') as List
FROM read_file(filenames="/var/log/loginsight/runtime.log")
-- Get REMOTE_PAK_DOWNLOAD_COMMAND matches.
LET results = SELECT * FROM foreach(row=lines,
query={
SELECT parse_string_with_regex(
string=_value,
regex=[
"^\\[(?P<Time>[^\\]]+)\\].*REMOTE_PAK_DOWNLOAD_COMMAND.*requestUrl:(?P<RequestUrl>[^,]+), fileName:(?P<FileName>[^\)]+).*$"
]) as Record
FROM foreach(row=List)
WHERE _value
AND _value =~ ".*REMOTE_PAK_DOWNLOAD_COMMAND.*"
})
-- output rows
SELECT
Record.Time AS Time,
Record.RequestUrl AS RequestUrl,
Record.FileName AS FileName
FROM results