LPE InstallerFileTakeOver PoC CVE-2021-41379
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
Sigma rule (View on GitHub)
1title: LPE InstallerFileTakeOver PoC CVE-2021-41379
2id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
3status: test
4description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
5references:
6 - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
7author: Florian Roth (Nextron Systems)
8date: 2021-11-22
9modified: 2022-07-12
10tags:
11 - attack.initial-access
12 - attack.t1190
13 - detection.emerging-threats
14logsource:
15 product: windows
16 service: application
17 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
18detection:
19 selection:
20 EventID: 1033
21 Provider_Name: 'MsiInstaller'
22 Data|contains: 'test pkg'
23 condition: selection
24falsepositives:
25 - Other MSI packages for which your admins have used that name
26level: high
References
Related rules
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
- Potential Information Disclosure CVE-2023-43261 Exploitation - Web
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity