Detect F5 Tmui RCE Cve-2020-5902

Description

This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Exploit Public-Facing Application

Exploit Public-Facing Application

MITRE Threat Groups

APT28
APT29
APT39
APT41
Axiom
BlackTech
Blue Mockingbird
GOLD SOUTHFIELD
Night Dragon
Rocke
Soft Cell

   Help

Detect F5 Tmui RCE Cve-2020-5902 Help

To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).

   Search

Open in Search