Volver al hub

IOC search | PTC Windchill & FlexPLM vulnerability

This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates. https://support.eacpds.com/hc/en-us/article_attachments/47430019070996

EDRhuntingT1210
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

case{
  #event_simpleName = /.*FileWritten/i
  | FileName = /GW\.class/i or FileName = /Gen\.class/i or FileName = /dpr_.*\.jsp/i;
  #event_simpleName = /.*FileWritten/i
  | in(field="FileName",values=["Gen.java","GW.java","HTTPRequest.java","HTTPResponse.java","IXBCommonStreamer.java","IXBStreamer.java","MethodFeedback.java","MethodResult.java","WTContextUpdate.java"]);
}
| table(@timestamp,ComputerName,FileName,ContextBaseFileName)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.