I was recently asked about this vulnerability recently by a partner, seemed like something interesting that NetWitness (NW) Packet capture (if in the right place on your network) would be able to easily detect.
Exploit appears to be against a version of IIS (6.0) and is related to improper validation of an 'IF' header in a PROPFIND request (from TrendMicro link below). I am not a vulnerability expert but figured that I could plug in the details of the exploit into the NW metavalues and see if we could come up with a drill to detect this CVE.
https://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/
https://github.com/edwardz246003/IIS_exploit
Http requests and PROPFIND
service = 80 && action = 'PROPFIND'
If you have 10.6.2.x and have installed the additional hunting pack items then you should have access to the header values to go a step further
Http request with PROPFIND and IF header
service = 80 && action = 'PROPFIND' && http.request = 'If'
Depending on how you indexed the unqiue values of those header elements then you may also be able to run the following query from investigator
service=80 && action='propfind' && http.request='if' && res.uniq contains '<http://'
if those match your logic then you could convert those into application rules and then trigger your alerts off them (depending on where your capture is located you may want to add direction='inbound' to filter on just inbound attempts to your public facing web properties)
Anyone successful at locating this? i haven't been able to validate with any PCAP so these are best guesses for far for detection.
