Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
Sigma rule (View on GitHub)
1title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
2id: 52a85084-6989-40c3-8f32-091e12e17692
3status: test
4description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
5references:
6 - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
7author: Cybex
8date: 2022-08-16
9modified: 2023-05-02
10tags:
11 - attack.execution
12logsource:
13 product: windows
14 service: application
15detection:
16 selection:
17 EventID: 1511
18 Provider_Name: 'Microsoft-Windows-User Profiles Service'
19 condition: selection
20falsepositives:
21 - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
22level: low
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change