Suspicious Usage of CVE_2021_34484 or CVE 2022_21919

During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server

Sigma rule (View on GitHub)

 1title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
 2id: 52a85084-6989-40c3-8f32-091e12e17692
 3status: test
 4description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
 5references:
 6    - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
 7author: Cybex
 8date: 2022-08-16
 9modified: 2023-05-02
10tags:
11    - attack.execution
12logsource:
13    product: windows
14    service: application
15detection:
16    selection:
17        EventID: 1511
18        Provider_Name: 'Microsoft-Windows-User Profiles Service'
19    condition: selection
20falsepositives:
21    - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
22level: low

References

Related rules

to-top