← Back to Explore
splunk_escuTTP
Juniper Networks Remote Code Execution Exploit Detection
The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.
Detection Query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200
BY Web.http_user_agent, Web.status Web.http_method,
Web.url, Web.url_length, Web.src,
Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `juniper_networks_remote_code_execution_exploit_detection_filter`Author
Michael Haag, Splunk
Data Sources
Suricata
References
- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml
- https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
- https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
- https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
- https://vulncheck.com/blog/juniper-cve-2023-36845
Raw Content
name: Juniper Networks Remote Code Execution Exploit Detection
id: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e
version: 9
creation_date: '2023-08-29'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects attempts to exploit a remote code execution vulnerability in Juniper Networks devices. It identifies requests to /webauth_operation.php?PHPRC=*, which are indicative of uploading and executing malicious PHP files. This detection leverages the Web data model, focusing on specific URL patterns and HTTP status codes. This activity is significant because it signals an attempt to gain unauthorized access and execute arbitrary code on the device. If confirmed malicious, the attacker could gain control over the device, leading to data theft, network compromise, or other severe consequences.
data_source:
- Suricata
search: |-
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200
BY Web.http_user_agent, Web.status Web.http_method,
Web.url, Web.url_length, Web.src,
Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `juniper_networks_remote_code_execution_exploit_detection_filter`
how_to_implement: To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.
known_false_positives: Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.
references:
- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml
- https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
- https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
- https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
- https://vulncheck.com/blog/juniper-cve-2023-36845
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.
entity:
field: dest
type: system
score: 50
threat_objects:
- field: url
type: url
analytic_story:
- Juniper JunOS Remote Code Execution
asset_type: Web Server
cve:
- CVE-2023-36844
- CVE-2023-36845
- CVE-2023-36846
- CVE-2023-36847
mitre_attack_id:
- T1190
- T1105
- T1059
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: web
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log
source: not_applicable
sourcetype: suricata
test_type: unit