Ivanti VTM New Account Creation

name: Ivanti VTM New Account Creation
id: b04be6e5-2002-4349-8742-52285635b8f5
version: 7
date: '2026-03-10'
author: Michael Haag, Splunk
data_source:
    - Ivanti VTM Audit
type: TTP
status: production
description: This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts.
search: |-
    `ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!"
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY IP, MODUSER, OPERATION,
           MODGROUP, AUTH
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `ivanti_vtm_new_account_creation_filter`
how_to_implement: To implement this detection, ensure that Ivanti vTM audit logs are being ingested into Splunk. Configure the Ivanti vTM to send its audit logs to Splunk via syslog or by monitoring the log files directly. The sourcetype should be set to "ivanti_vtm_audit" or a similar custom sourcetype for these logs.
known_false_positives: Legitimate new account creation by authorized administrators will generate similar log entries. However, those should include proper authentication details. Verify any detected events against expected administrative activities and authorized user lists.
references:
    - https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7593
drilldown_searches:
    - name: View the detection results for - "$MODUSER$"
      search: '%original_detection_search% | search  MODUSER = "$MODUSER$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$MODUSER$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A new administrator account, $MODUSER$, was created on Ivanti vTM device without proper authentication, which may indicate exploitation of CVE-2024-7593.
    risk_objects:
        - field: MODUSER
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Ivanti Virtual Traffic Manager CVE-2024-7593
        - Scattered Lapsus$ Hunters
        - Hellcat Ransomware
    asset_type: Web Application
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: access
    cve:
        - CVE-2024-7593
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_audit.log
          sourcetype: ivanti_vtm_audit
          source: ivanti_vtm