PaperCut MF/NG Exploitation Related Indicators
Detects exploitation indicators related to PaperCut MF/NG Exploitation
Sigma rule (View on GitHub)
1title: PaperCut MF/NG Exploitation Related Indicators
2id: de1bd0b6-6d59-417c-86d9-a44114aede3b
3status: test
4description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
5references:
6 - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
7 - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/04/25
10tags:
11 - attack.execution
12 - detection.emerging_threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_1:
18 CommandLine|contains|all:
19 - ' /c '
20 - 'powershell'
21 - '-nop -w hidden'
22 - 'Invoke-WebRequest'
23 - 'setup.msi'
24 - '-OutFile'
25 selection_2:
26 CommandLine|contains|all:
27 - 'msiexec '
28 - '/i '
29 - 'setup.msi '
30 - '/qn '
31 - 'IntegratorLogin=fimaribahundq'
32 condition: 1 of selection_*
33falsepositives:
34 - Unlikely
35level: high
References
-
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
Read More -
info This page will continue to be updated as new information becomes available. Last updated: 16 May 12:00 AEST. info For other Security vulnerability and Security bulletin information, see our Se...
Read More
Related rules
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- DNS RCE CVE-2020-1350
- DarkSide Ransomware Pattern
- Elise Backdoor Activity