MSMQ Corrupted Packet Encountered

Apr 21, 2023 · attack.execution ·

Share on:

Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation

Sigma rule (View on GitHub)

 1title: MSMQ Corrupted Packet Encountered
 2id: ae94b10d-fee9-4767-82bb-439b309d5a27
 3status: experimental
 4description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
 5references:
 6    - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/21
 9tags:
10    - attack.execution
11logsource:
12    product: windows
13    service: application
14detection:
15    selection:
16        Provider_Name: 'MSMQ'
17        EventID: 2027
18        Level: 2
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

Related rules

Potential Suspicious PowerShell Keywords
Malicious PowerShell Commandlets - PoshModule
Malicious PowerShell Commandlets - ProcessCreation
Malicious PowerShell Commandlets - ScriptBlock
Malicious PowerShell Scripts - FileCreation