The Ivanti Connect Secure (ICS) vulnerabilities—specifically the devastating chain of CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Command Injection)—have reshaped perimeter security assumptions. Attackers realized that edge gateways, traditionally trusted appliances sitting at the boundary of the internal network, often lack deep Endpoint Detection and Response (EDR) coverage. By chaining an auth bypass with a crafted payload sent to the `/api/v1/totp/user-backup-code` endpoint, adversaries gained unauthenticated, root-level remote command execution. This briefing translates these exploit mechanics into high-fidelity KQL hunting queries for Microsoft Sentinel, shifting the focus from patching to proactive detection of post-exploitation behavior.
Before a web shell is dropped, adversaries must probe the gateway to confirm exploitability. While signatures for specific payloads often change, the targeted URIs remain relatively static. By analyzing the `CommonSecurityLog` in Sentinel, we can hunt for anomalous, high-frequency requests hitting the specific vulnerable API paths, regardless of the obfuscation used in the payload body.
The true danger of an edge gateway compromise is what happens next. ICS appliances are not the final target; they are the beachhead. Once a foothold is established, threat actors immediately attempt to pivot internally (East-West traffic) to reach Tier-0 assets like Domain Controllers. Because the gateway is a trusted internal node, this traffic often bypasses perimeter firewalls. By correlating `DeviceNetworkEvents`, we hunt for the appliance behaving out of character—initiating SMB, RDP, or WinRM connections to internal infrastructure.