Ivanti VTM New Account Creation

name: Ivanti VTM New Account Creation
id: b04be6e5-2002-4349-8742-52285635b8f5
version: 9
creation_date: '2024-08-20'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts.
data_source:
    - Ivanti VTM Audit
search: |-
    `ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!"
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY IP, MODUSER, OPERATION,
           MODGROUP, AUTH
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `ivanti_vtm_new_account_creation_filter`
how_to_implement: To implement this detection, ensure that Ivanti vTM audit logs are being ingested into Splunk. Configure the Ivanti vTM to send its audit logs to Splunk via syslog or by monitoring the log files directly. The sourcetype should be set to "ivanti_vtm_audit" or a similar custom sourcetype for these logs.
known_false_positives: Legitimate new account creation by authorized administrators will generate similar log entries. However, those should include proper authentication details. Verify any detected events against expected administrative activities and authorized user lists.
references:
    - https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7593
drilldown_searches:
    - name: View the detection results for - "$MODUSER$"
      search: '%original_detection_search% | search  MODUSER = "$MODUSER$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$MODUSER$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A new administrator account, $MODUSER$, was created on Ivanti vTM device without proper authentication, which may indicate exploitation of CVE-2024-7593.
    entity:
        field: MODUSER
        type: user
        score: 50
analytic_story:
    - Ivanti Virtual Traffic Manager CVE-2024-7593
    - Scattered Lapsus$ Hunters
    - Hellcat Ransomware
asset_type: Web Application
cve:
    - CVE-2024-7593
mitre_attack_id:
    - T1190
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: access
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_audit.log
          sourcetype: ivanti_vtm_audit
          source: ivanti_vtm
      test_type: unit