PaperCut MF/NG Potential Exploitation
Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
Sigma rule (View on GitHub)
1title: PaperCut MF/NG Potential Exploitation
2id: 0934ac71-a331-4e98-a034-d49c491fbbcb
3status: test
4description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
5references:
6 - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
7 - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml
8author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea)
9date: 2023-04-20
10modified: 2023-04-25
11tags:
12 - attack.execution
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\pc-app.exe'
20 Image|endswith:
21 - '\bash.exe'
22 - '\calc.exe'
23 - '\certutil.exe'
24 - '\cmd.exe'
25 - '\csc.exe'
26 - '\cscript.exe'
27 - '\dllhost.exe'
28 - '\mshta.exe'
29 - '\msiexec.exe'
30 - '\powershell.exe'
31 - '\pwsh.exe'
32 - '\regsvr32.exe'
33 - '\rundll32.exe'
34 - '\scriptrunner.exe'
35 - '\wmic.exe'
36 - '\wscript.exe'
37 - '\wsl.exe'
38 condition: selection
39falsepositives:
40 - Legitimate administration activity
41level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern