CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Sigma rule (View on GitHub)
1title: CVE-2021-44077 POC Default Dropped File
2id: 7b501acf-fa98-4272-aa39-194f82edc8a3
3status: test
4description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
5references:
6 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
7 - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-06
10tags:
11 - attack.execution
12 - cve.2021-44077
13 - detection.emerging-threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|endswith: '\ManageEngine\SupportCenterPlus\bin\msiexec.exe'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access