CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Sigma rule (View on GitHub)
1title: CVE-2021-44077 POC Default Dropped File
2id: 7b501acf-fa98-4272-aa39-194f82edc8a3
3status: test
4description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
5references:
6 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
7 - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/06
10tags:
11 - attack.execution
12 - cve.2021.44077
13 - detection.emerging_threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|endswith: '\ManageEngine\SupportCenterPlus\bin\msiexec.exe'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
Read More -
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077 - horizon3ai/CVE-2021-44077
Read More
Related rules
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- CVE-2021-26858 Exchange Exploitation
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Turla Group Named Pipes