Adversaries may be exploiting the Pulse Connect Secure RCE vulnerability (CVE-2021-22893) to gain remote code execution on VPN servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of critical network infrastructure.
KQL Query
let threshold = 3;
PulseConnectSecure
| where Messages contains "Unauthenticated request url /dana-na/"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP
| where count_ > threshold
id: d0c82b7f-40b2-4180-a4d6-7aa0541b7599
name: PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack
description: |
'This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server'
severity: High
requiredDataConnectors:
- connectorId: PulseConnectSecure
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let threshold = 3;
PulseConnectSecure
| where Messages contains "Unauthenticated request url /dana-na/"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP
| where count_ > threshold
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: Source_IP
version: 1.0.2
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Sittikorn S
support:
tier: Community
categories:
domains: [ "Security - Threat Intelligence" ]Scenario: Legitimate Admin Task - Scheduled Job Execution
Description: An administrator is running a scheduled job to update the Pulse Connect Secure configuration using the pcsadmin tool.
Filter/Exclusion: Check for process.name = pcsadmin and process.args LIKE '%update%' to exclude legitimate configuration updates.
Scenario: System Maintenance - Log File Analysis
Description: A security analyst is manually reviewing logs for unusual activity using the logcheck tool, which is configured to analyze Pulse Connect Secure logs.
Filter/Exclusion: Filter by process.name = logcheck and process.args LIKE '%logcheck%' to exclude manual log analysis activities.
Scenario: Patch Deployment - Automated Update Process
Description: A patch management system is deploying a security update to Pulse Connect Secure using the patchmgr tool.
Filter/Exclusion: Use process.name = patchmgr and process.args LIKE '%deploy%' to exclude automated patch deployment tasks.
Scenario: User Authentication - Failed Login Attempt
Description: A user is attempting to authenticate to the Pulse Connect Secure server, resulting in a failed login attempt.
Filter/Exclusion: Filter by event.type = failed_login and source.ip IN (known_user_ips) to exclude legitimate user authentication attempts.
Scenario: Network Monitoring - Traffic Analysis Tool
Description: A network monitoring tool like Wireshark is capturing and analyzing traffic to the Pulse Connect Secure server for troubleshooting.
Filter/Exclusion: Use process.name = wireshark or process.name = tcpdump to exclude network traffic analysis activities.