CVE-2021-31979 CVE-2021-33771 Exploits

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Sigma rule (View on GitHub)

 1title: CVE-2021-31979 CVE-2021-33771 Exploits
 2id: 32b5db62-cb5f-4266-9639-0fa48376ac00
 3status: test
 4description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
 7    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
 8author: Sittikorn S, frack113
 9date: 2021/07/16
10modified: 2023/08/17
11tags:
12    - attack.credential_access
13    - attack.t1566
14    - attack.t1203
15    - cve.2021.33771
16    - cve.2021.31979
17    - detection.emerging_threats
18    # - threat_group.Sourgum
19logsource:
20    product: windows
21    category: registry_set
22detection:
23    selection:
24        TargetObject|endswith:
25            - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
26            - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
27    filter:
28        Details|endswith:
29            - system32\wbem\wmiutils.dll
30            - system32\wbem\wbemsvc.dll
31    condition: selection and not filter
32falsepositives:
33    - Unlikely
34level: critical

References

Related rules

to-top