Potential CVE-2023-21554 QueueJumper Exploitation

Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-21554 QueueJumper Exploitation
 2id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
 3status: test
 4description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
 5references:
 6    - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-04-12
 9tags:
10    - attack.privilege-escalation
11    - attack.execution
12    - cve.2023-21554
13    - detection.emerging-threats
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection:
19        ParentImage|endswith: '\Windows\System32\mqsvc.exe'
20        Image|endswith:
21            - '\cmd.exe'
22            - '\cscript.exe'
23            - '\mshta.exe'
24            - '\powershell.exe'
25            - '\pwsh.exe'
26            - '\regsvr32.exe'
27            - '\rundll32.exe'
28            - '\schtasks.exe'
29            - '\wmic.exe'
30            - '\wscript.exe'
31            - '\wsl.exe'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top