Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
Sigma rule (View on GitHub)
1title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
2id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
3status: test
4description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
5references:
6 - https://github.com/SigmaHQ/sigma/pull/3946
7 - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
9date: 2023-01-21
10tags:
11 - detection.emerging-threats
12 - attack.initial-access
13 - attack.t1190
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\svchost.exe'
20 Image|endswith: '\svchost.exe'
21 ParentCommandLine|contains: '-k DHCPServer'
22 CommandLine|contains: '-k DHCPServer'
23 User|contains: # Covers many language settings for Network Service. Please expand.
24 - 'NETWORK SERVICE'
25 - 'NETZWERKDIENST'
26 - 'SERVIZIO DI RETE'
27 - 'SERVICIO DE RED'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt