Serv-U Exploitation CVE-2021-35211 by DEV-0322

Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322

Sigma rule (View on GitHub)

 1title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
 2id: 75578840-9526-4b2a-9462-af469a45e767
 3status: test
 4description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 7author: Florian Roth (Nextron Systems)
 8date: 2021-07-14
 9modified: 2022-12-18
10tags:
11    - attack.persistence
12    - attack.t1136.001
13    - cve.2021-35211
14    - detection.emerging-threats
15    # - threat_group.DEV-0322
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_whoami:
21        CommandLine|contains: 'whoami'
22    selection_cmd_1:
23        CommandLine|contains:
24            - './Client/Common/'
25            - '.\Client\Common\'
26    selection_cmd_2:
27        CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat'
28    condition: selection_whoami and 1 of selection_cmd*
29falsepositives:
30    - Unlikely
31level: critical

References

Related rules

to-top