Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Sigma rule (View on GitHub)
1title: Potential CVE-2023-21554 QueueJumper Exploitation
2id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
3status: test
4description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
5references:
6 - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/04/12
9tags:
10 - attack.privilege_escalation
11 - attack.execution
12 - cve.2023.21554
13 - detection.emerging_threats
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 ParentImage|endswith: '\Windows\System32\mqsvc.exe'
20 Image|endswith:
21 - '\cmd.exe'
22 - '\cscript.exe'
23 - '\mshta.exe'
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - '\regsvr32.exe'
27 - '\rundll32.exe'
28 - '\schtasks.exe'
29 - '\wmic.exe'
30 - '\wscript.exe'
31 - '\wsl.exe'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high
References
-
Check Point Research recently discovered three vulnerabilities in the "Microsoft Message Queuing" service, commonly known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
Read More
Related rules
- Diamond Sleet APT Scheduled Task Creation
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Exploiting SetupComplete.cmd CVE-2019-1378
- MSMQ Corrupted Packet Encountered
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity