The corporate advises triaging logs with the ^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)retailer/fob/.*?404 common expression and on the lookout for HTTP 404 error response codes in addition to GET requests with parameters which have bash instructions.
“The most typical is the introduction of, or modification of, malicious recordsdata to introduce net shell capabilities,” the corporate mentioned. “Ivanti has generally seen these adjustments goal HTTP error pages, resembling 401.jsp. Any requests to those pages with POST strategies or with parameters must be thought of extremely suspicious. Analysts who’re performing forensic inspection of the disk must also overview for surprising WAR or JAR recordsdata being launched to the system.”
One factor to notice is that attackers commonly delete logs to cover their tracks and that on techniques with excessive utilization the logs may be rotated a number of instances a day. That’s why clients are strongly suggested to make use of the Data Export options to ahead logs from the EPMM equipment to their SIEM system or different log aggregators.
