CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Sigma rule (View on GitHub)
1title: CVE-2022-24527 Microsoft Connected Cache LPE
2id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
3status: test
4description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
5references:
6 - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
7author: Florian Roth (Nextron Systems)
8date: 2022/04/13
9tags:
10 - attack.privilege_escalation
11 - attack.t1059.001
12 - cve.2022.24527
13 - detection.emerging_threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
20 filter:
21 User|contains: # covers many language settings
22 - 'AUTHORI'
23 - 'AUTORI'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high
References
-
On April 12, 2022, Microsoft published CVE-2022-24527, a local privilege escalation vulnerability in Microsoft Connected Cache.
Read More
Related rules
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Exploitation Indicators Of CVE-2023-20198
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Potential Baby Shark Malware Activity
- Potential CVE-2021-41379 Exploitation Attempt