CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Sigma rule (View on GitHub)
1title: CVE-2022-24527 Microsoft Connected Cache LPE
2id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
3status: test
4description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
5references:
6 - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
7author: Florian Roth (Nextron Systems)
8date: 2022-04-13
9tags:
10 - attack.privilege-escalation
11 - attack.t1059.001
12 - cve.2022-24527
13 - detection.emerging-threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
20 filter:
21 User|contains: # covers many language settings
22 - 'AUTHORI'
23 - 'AUTORI'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- Exploited CVE-2020-10189 Zoho ManageEngine
- Exploiting SetupComplete.cmd CVE-2019-1378
- Greenbug Espionage Group Indicators
- HackTool - CrackMapExec Execution