TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Critical Vulnerability: SysAid CVE-2023-47246 | Huntress

2023-11-10 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.001PowerShell
99%
“powershell execution ( base64 decoded and beautified ) : this stages more powershell to be executed inside of a multi - line string. it once again stores pertinent filesystem paths in variables, but then defines regular expressions to be used to remove evidence of exploitation. t…”
T1059.001PowerShell
99%
“different version numbers - - some as recent as 23. 3. 34, a handful in the yearly range of versions 16. x or 17. x and some as old as versions 7. 5. 0 and 7. 0. 0 ( p. s. please update! ) we observed only one of these instances actively compromised with the zero - day exploit. t…”
T1190Exploit Public-Facing Application
95%
“critical vulnerability : sysaid cve - 2023 - 47246 | huntress on november 8, 2023, sysaid published an advisory expressing that their on - premise server software had a previously undisclosed vulnerability and is aware of public in - the - wild exploitation. days prior, microsoft…”
T1190Exploit Public-Facing Application
95%
“instances that are accessible on the public internet. a different shodan query for any reference of sysaid in the html of the analyzed page returns just under 900 results. while this does not prove exploitability for each of these public servers, it does show the prevalence of th…”
T1190Exploit Public-Facing Application
95%
“sysaid refers to this vulnerability as a “ previously unknown path traversal vulnerability leading to code execution within the sysaid on - prem software. ” the security bulletin does not include technical details for this vulnerability and how to exploit it, but does include tec…”
T1059.001PowerShell
91%
“userfilesfolder as variables - enumerate running processes with tasklist, and use regular expressions to match any processes beginning with “ sophos ” and including. exe present in the executable name - if any processes matching this criteria are found, this powershell code remov…”
T1190Exploit Public-Facing Application
90%
“the webshell by browsing to the url where it now resides to gain access to the server. the huntress research team identified the vulnerable component by decompiling the java class files and examining the patch differential between version 23. 3. 35 and 23. 3. 36. the latest versi…”
T1505.003Web Shell
51%
“sysaid refers to this vulnerability as a “ previously unknown path traversal vulnerability leading to code execution within the sysaid on - prem software. ” the security bulletin does not include technical details for this vulnerability and how to exploit it, but does include tec…”
T1055.001Dynamic-link Library Injection
34%
“userfilesfolder as variables - enumerate running processes with tasklist, and use regular expressions to match any processes beginning with “ sophos ” and including. exe present in the executable name - if any processes matching this criteria are found, this powershell code remov…”

Summary

Huntress has analyzed the emerging SysAid CVE-2023-47246 vulnerability and recreated the attack chain with a proof-of-concept exploit.