Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Sigma rule (View on GitHub)
1title: Potential CVE-2023-21554 QueueJumper Exploitation
2id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
3status: test
4description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
5references:
6 - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-04-12
9tags:
10 - attack.privilege-escalation
11 - attack.execution
12 - cve.2023-21554
13 - detection.emerging-threats
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 ParentImage|endswith: '\Windows\System32\mqsvc.exe'
20 Image|endswith:
21 - '\cmd.exe'
22 - '\cscript.exe'
23 - '\mshta.exe'
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - '\regsvr32.exe'
27 - '\rundll32.exe'
28 - '\schtasks.exe'
29 - '\wmic.exe'
30 - '\wscript.exe'
31 - '\wsl.exe'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high
References
-
Check Point Research recently discovered three vulnerabilities in the "Microsoft Message Queuing" service, commonly known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Read More
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- APT PRIVATELOG Image Load Pattern
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Audit CVE Event