CVE-2021-31979 CVE-2021-33771 Exploits
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
Sigma rule (View on GitHub)
1title: CVE-2021-31979 CVE-2021-33771 Exploits
2id: 32b5db62-cb5f-4266-9639-0fa48376ac00
3status: test
4description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
5references:
6 - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
7 - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
8author: Sittikorn S, frack113
9date: 2021-07-16
10modified: 2023-08-17
11tags:
12 - attack.credential-access
13 - attack.t1566
14 - attack.t1203
15 - cve.2021-33771
16 - cve.2021-31979
17 - detection.emerging-threats
18 # - threat_group.Sourgum
19logsource:
20 product: windows
21 category: registry_set
22detection:
23 selection:
24 TargetObject|endswith:
25 - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
26 - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
27 filter:
28 Details|endswith:
29 - system32\wbem\wmiutils.dll
30 - system32\wbem\wbemsvc.dll
31 condition: selection and not filter
32falsepositives:
33 - Unlikely
34level: critical
References
-
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
Read More
Related rules
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- APT31 Judgement Panda Activity
- Audit CVE Event
- CVE-2021-26858 Exchange Exploitation
- CVE-2023-23397 Exploitation Attempt