Potential CVE-2022-26809 Exploitation Attempt

calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.execution attack.t1569.002 cve.2022-26809 detection.emerging-threats  ·
Share on: linkedin copy

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Sigma rule (View on GitHub)

 1title: Potential CVE-2022-26809 Exploitation Attempt
 2id: a7cd7306-df8b-4398-b711-6f3e4935cf16
 3status: test
 4description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
 7    - https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
 8    - https://twitter.com/cyb3rops/status/1514217991034097664
 9    - https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
10author: Florian Roth (Nextron Systems)
11date: 2022-04-13
12modified: 2023-02-03
13tags:
14    - attack.initial-access
15    - attack.t1190
16    - attack.execution
17    - attack.t1569.002
18    - cve.2022-26809
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        ParentImage: 'C:\Windows\System32\svchost.exe'
26        ParentCommandLine|contains: '-k RPCSS'
27    condition: selection
28falsepositives:
29    - Unknown
30    - Some cases in which the service spawned a werfault.exe process
31level: high

References

Related rules

to-top