Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
Sigma rule (View on GitHub)
1title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
2id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
3status: test
4description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
5references:
6 - https://github.com/SigmaHQ/sigma/pull/3946
7 - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
9date: 2023/01/21
10tags:
11 - detection.emerging_threats
12 - attack.initial_access
13 - attack.t1190
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\svchost.exe'
20 Image|endswith: '\svchost.exe'
21 ParentCommandLine|contains: '-k DHCPServer'
22 CommandLine|contains: '-k DHCPServer'
23 User|contains: # Covers many language settings for Network Service. Please expand.
24 - 'NETWORK SERVICE'
25 - 'NETZWERKDIENST'
26 - 'SERVIZIO DI RETE'
27 - 'SERVICIO DE RED'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
-
Trying to cover this unpatched RCE vulnerability https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw
Read More -
Related rules
- Potential CVE-2022-26809 Exploitation Attempt
- Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy