Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Sigma rule (View on GitHub)
1title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
2id: 75578840-9526-4b2a-9462-af469a45e767
3status: test
4description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
5references:
6 - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
7author: Florian Roth (Nextron Systems)
8date: 2021-07-14
9modified: 2022-12-18
10tags:
11 - attack.persistence
12 - attack.t1136.001
13 - cve.2021-35211
14 - detection.emerging-threats
15 # - threat_group.DEV-0322
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_whoami:
21 CommandLine|contains: 'whoami'
22 selection_cmd_1:
23 CommandLine|contains:
24 - './Client/Common/'
25 - '.\Client\Common\'
26 selection_cmd_2:
27 CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat'
28 condition: selection_whoami and 1 of selection_cmd*
29falsepositives:
30 - Unlikely
31level: critical
References
Related rules
- COLDSTEEL Persistence Service Creation
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit