EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

IOC search | PTC Windchill & FlexPLM vulnerability

This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates. https://support.eacpds.com/hc/en-us/article_attachments/47430019070996 This CQL query is designed to catch an attacker at two different stages of the PTC Windchill/FlexPLM exploitation lifecycle. ### **1. The Two Detection "Stages"** The `case` block splits the search into two specific scenarios: * **Scenario A (Active Execution/Persistence):** Looks for compiled Java files (`.class`) and web shells (`.jsp`). If these appear, the attacker has likely already triggered the exploit and is attempting to run code or maintain a backdoor. * **Scenario B (Staging/Delivery):** Looks for specific Java source files (`.java`) provided by PTC as known Indicators of Compromise. These are "payloads" that an attacker drops to overwrite core system functions. ### **2. Key Commands Used** * **`#event_simpleName = /.*FileWritten/i`**: Monitors the exact moment a file is created or modified on the hard drive. * **`regex /.../i`**: Performs a case-insensitive search for file patterns (like the `dpr_` prefix often used for malicious web shells). * **`in(field="FileName", values=[...])`**: Efficiently checks a list of "Known Bad" filenames against your environment. * **`table`**: Displays the **Timestamp**, **Impacted Host**, and the **Specific File** involved to allow for immediate incident response.

MITRE ATT&CK

T1210

Detection Query

case{
  #event_simpleName = /.*FileWritten/i
  | FileName = /GW\.class/i or FileName = /Gen\.class/i or FileName = /dpr_.*\.jsp/i;
  #event_simpleName = /.*FileWritten/i
  | in(field="FileName",values=["Gen.java","GW.java","HTTPRequest.java","HTTPResponse.java","IXBCommonStreamer.java","IXBStreamer.java","MethodFeedback.java","MethodResult.java","WTContextUpdate.java"]);
}
| table(@timestamp,ComputerName,FileName,ContextBaseFileName)

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: "IOC search | PTC Windchill & FlexPLM vulnerability"

# MITRE ATT&CK technique IDs
mitre_ids:
- T1210

# Description of what the query does and its purpose.
description: |
  This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates.
  
  https://support.eacpds.com/hc/en-us/article_attachments/47430019070996

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  case{
    #event_simpleName = /.*FileWritten/i
    | FileName = /GW\.class/i or FileName = /Gen\.class/i or FileName = /dpr_.*\.jsp/i;
    #event_simpleName = /.*FileWritten/i
    | in(field="FileName",values=["Gen.java","GW.java","HTTPRequest.java","HTTPResponse.java","IXBCommonStreamer.java","IXBStreamer.java","MethodFeedback.java","MethodResult.java","WTContextUpdate.java"]);
  }
  | table(@timestamp,ComputerName,FileName,ContextBaseFileName)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  This CQL query is designed to catch an attacker at two different stages of the PTC Windchill/FlexPLM exploitation lifecycle.
  
  ### **1. The Two Detection "Stages"**
  The `case` block splits the search into two specific scenarios:
  
  * **Scenario A (Active Execution/Persistence):** Looks for compiled Java files (`.class`) and web shells (`.jsp`). If these appear, the attacker has likely already triggered the exploit and is attempting to run code or maintain a backdoor.
  * **Scenario B (Staging/Delivery):** Looks for specific Java source files (`.java`) provided by PTC as known Indicators of Compromise. These are "payloads" that an attacker drops to overwrite core system functions.
  
  ### **2. Key Commands Used**
  * **`#event_simpleName = /.*FileWritten/i`**: Monitors the exact moment a file is created or modified on the hard drive.
  * **`regex /.../i`**: Performs a case-insensitive search for file patterns (like the `dpr_` prefix often used for malicious web shells).
  * **`in(field="FileName", values=[...])`**: Efficiently checks a list of "Known Bad" filenames against your environment.
  * **`table`**: Displays the **Timestamp**, **Impacted Host**, and the **Specific File** involved to allow for immediate incident response.