CVE-2021-31979 CVE-2021-33771 Exploits

calendar Oct 23, 2025 · attack.initial-access attack.execution attack.credential-access attack.t1566 attack.t1203 cve.2021-33771 cve.2021-31979 detection.emerging-threats  ·
Share on: linkedin copy

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Sigma rule (View on GitHub)

 1title: CVE-2021-31979 CVE-2021-33771 Exploits
 2id: 32b5db62-cb5f-4266-9639-0fa48376ac00
 3status: test
 4description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
 7    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
 8author: Sittikorn S, frack113
 9date: 2021-07-16
10modified: 2023-08-17
11tags:
12    - attack.initial-access
13    - attack.execution
14    - attack.credential-access
15    - attack.t1566
16    - attack.t1203
17    - cve.2021-33771
18    - cve.2021-31979
19    - detection.emerging-threats
20    # - threat_group.Sourgum
21logsource:
22    product: windows
23    category: registry_set
24detection:
25    selection:
26        TargetObject|endswith:
27            - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
28            - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
29    filter:
30        Details|endswith:
31            - system32\wbem\wmiutils.dll
32            - system32\wbem\wbemsvc.dll
33    condition: selection and not filter
34falsepositives:
35    - Unlikely
36level: critical

References

Related rules

to-top