Potential BearLPE Exploitation

Jun 20, 2023 · attack.privilege_escalation attack.t1053.005 car.2013-08-001 detection.emerging_threats ·

Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par

Sigma rule (View on GitHub)

 1title: Potential BearLPE Exploitation
 2id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
 3status: test
 4description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
 5references:
 6    - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
 7author: Olaf Hartong
 8date: 2019/05/22
 9modified: 2023/01/26
10tags:
11    - attack.privilege_escalation
12    - attack.t1053.005
13    - car.2013-08-001
14    - detection.emerging_threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\schtasks.exe'
21        - OriginalFileName: 'schtasks.exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - '/change'
25            - '/TN'
26            - '/RU'
27            - '/RP'
28    condition: all of selection*
29falsepositives:
30    - Unknown
31level: high

References

polarbearrepo/bearlpe/polarbear/polarbear/exploit.cpp at f26d3e008093cc5c835e92a7165170baf6713d43 · djhohnstein/polarbearrepo

Contribute to djhohnstein/polarbearrepo development by creating an account on GitHub.

Read More

Potential BearLPE Exploitation

Sigma rule (View on GitHub)

References

polarbearrepo/bearlpe/polarbear/polarbear/exploit.cpp at f26d3e008093cc5c835e92a7165170baf6713d43 · djhohnstein/polarbearrepo

Related rules