CVE-2021-22893 - Pulse Connect Secure RCE
On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: * Enrich related known CVEs and Malware Hashes used by the suspected APT actor. * Search for unpatched endpoints vulnerable to the exploits. * Search network facing system using Expanse for relevant issues. * Indicators and known webshells hunting using SIEM products. * Block indicators automatically or manually. * Provide different mitigations that has been publicly published such as: * Patches * Workarounds * Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: [Exploitation of Pulse Connect Secure Vulnerabilities](https://us-cert.cisa.gov/ncas/alerts/aa21-110a)
Rapid Breach Response · 35 tasks · 11 inputs · 0 outputs
Inputs
Related_Hashes— The known hashes of different malware families associated with the exploitation.Related_CVEs— The known CVEs associated with the exploitation.BlockAutomatically— Whether to block the indicators automatically. Default: False.QRadarWebshellsQuery— The QRadar search query used for "Hunt Activity Using QRadar". Please note that there aren't specified fields which may cause a longer run time.SplunkWebshellsQuery— The Splunk search query used for "Hunt Activity Using Splunk". Please note that there are two specified fields: msg, message. the query will work for both field names.RunWebshellsQuery— If you would like to skip "Hunt Activity Using Splunk" OR "Hunt Activity Using Qradar" please change the value to 'False'.QRadar_MD5_Field— The name of the field for MD5 entries in QRadar. If not configured, QRadar Indicator Hunting may reach timeout.QRadar_SHA1_Field— The name of the field for SHA1 entries in QRadar. If not configured, QRadar Indicator Hunting may reach timeout.QRadar_SHA256_Field— The name of the field for SHA256 entries in QRadar. If not configured, QRadar Indicator Hunting may reach timeout.SplunkEarliestTime— The earliest time for the Splunk search query.SplunkLatestTime— The latest time for the Splunk search query.
Commands used
enrichIndicators
expanse-get-issues
extractIndicators
splunk-search