MSMQ Corrupted Packet Encountered
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
Sigma rule (View on GitHub)
1title: MSMQ Corrupted Packet Encountered
2id: ae94b10d-fee9-4767-82bb-439b309d5a27
3status: test
4description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
5references:
6 - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-04-21
9tags:
10 - attack.execution
11 - detection.emerging-threats
12logsource:
13 product: windows
14 service: application
15detection:
16 selection:
17 Provider_Name: 'MSMQ'
18 EventID: 2027
19 Level: 2
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
Palo Alto Networks recently completed the acquisition of IBM's QRadar Software as a Service (SaaS) assets. IBM continue to sale QRadar on-premises.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access