MSMQ Corrupted Packet Encountered
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
Sigma rule (View on GitHub)
1title: MSMQ Corrupted Packet Encountered
2id: ae94b10d-fee9-4767-82bb-439b309d5a27
3status: test
4description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
5references:
6 - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/04/21
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 product: windows
14 service: application
15detection:
16 selection:
17 Provider_Name: 'MSMQ'
18 EventID: 2027
19 Level: 2
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
- Potential APT FIN7 Related PowerShell Script Created
- Potential CVE-2023-21554 QueueJumper Exploitation
- Potential SNAKE Malware Installation Binary Indicator
- Potential SNAKE Malware Installation CLI Arguments Indicator