CVE-2021-22893 - Pulse Connect Secure RCE

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: * Enrich related known CVEs and Malware Hashes used by the suspected APT actor. * Search for unpatched endpoints vulnerable to the exploits. * Search network facing system using Expanse for relevant issues. * Indicators and known webshells hunting using SIEM products. * Block indicators automatically or manually. * Provide different mitigations that has been publicly published such as: * Patches * Workarounds * Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: [Exploitation of Pulse Connect Secure Vulnerabilities](https://us-cert.cisa.gov/ncas/alerts/aa21-110a)

Rapid Breach Response · 35 tasks · 11 inputs · 0 outputs

Inputs

  • Related_Hashes — The known hashes of different malware families associated with the exploitation.
  • Related_CVEs — The known CVEs associated with the exploitation.
  • BlockAutomatically — Whether to block the indicators automatically. Default: False.
  • QRadarWebshellsQuery — The QRadar search query used for "Hunt Activity Using QRadar". Please note that there aren't specified fields which may cause a longer run time.
  • SplunkWebshellsQuery — The Splunk search query used for "Hunt Activity Using Splunk". Please note that there are two specified fields: msg, message. the query will work for both field names.
  • RunWebshellsQuery — If you would like to skip "Hunt Activity Using Splunk" OR "Hunt Activity Using Qradar" please change the value to 'False'.
  • QRadar_MD5_Field — The name of the field for MD5 entries in QRadar. If not configured, QRadar Indicator Hunting may reach timeout.
  • QRadar_SHA1_Field — The name of the field for SHA1 entries in QRadar. If not configured, QRadar Indicator Hunting may reach timeout.
  • QRadar_SHA256_Field — The name of the field for SHA256 entries in QRadar. If not configured, QRadar Indicator Hunting may reach timeout.
  • SplunkEarliestTime — The earliest time for the Splunk search query.
  • SplunkLatestTime — The latest time for the Splunk search query.

Commands used

enrichIndicators expanse-get-issues extractIndicators splunk-search

Flowchart

yes yes No No Yes No Yes No Yes Start Start Enrich CVE Indicators - enrichIndicators Enrich CVE Indicators enrichIndicators Enrich Hash Indicators - enrichIndicators Enrich Hash Indicators enrichIndicators Enrichment Enrichment Hunting Hunting SIEM Hunt SIEM Hunt Vulnerability Scanners Hunt Vulnerability Scanners Hunt Palo Alto Networks Hunt Palo Alto Networks Hunt Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting Expanse Issues Hunt Expanse Issues Hunt Search for Pulse Secure VPN Devices with an open issues - expanse-get-issues Search for Pulse Secure V... expanse-get-issues Remediation Remediation Block indicators automatically? Block indicators automati... Is Expanse Enabled? Is Expanse Enabled? Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2 Manually block indicators Manually block indicators Mitigation Mitigation Is Pulse Secure is patched? Is Pulse Secure is patched? Review all data collected Review all data collected Install related patches and workarounds Install related patches a... Run Pulse Connect Secure Integrity Tool Run Pulse Connect Secure ... Download Yara/Snort rules from FireEye Mandiant GitHub repository Download Yara/Snort rules... Webshell Access Attempts Hunt Webshell Access Attempts ... Hunt Activity Using Splunk Hunt Activity Using Splunk Hunt Activity Using Qradar Hunt Activity Using Qradar Search access attempts in Pulse Secure Logs - splunk-search Search access attempts in... splunk-search QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Is QRadar Enabled? Is QRadar Enabled? Hunt for the webshells names in PCS logs Hunt for the webshells na... Done Done Extract Indicators - extractIndicators Extract Indicators extractIndicators QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Is Splunk Enabled? Is Splunk Enabled?