HackTool - SysmonEOP Execution

Nov 25, 2024 · cve.2022-41120 attack.t1068 attack.privilege-escalation ·

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Sigma rule (View on GitHub)

 1title: HackTool - SysmonEOP Execution
 2id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
 3status: test
 4description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
 5references:
 6    - https://github.com/Wh04m1001/SysmonEoP
 7author: Florian Roth (Nextron Systems)
 8date: 2022-12-04
 9modified: 2024-11-23
10tags:
11    - cve.2022-41120
12    - attack.t1068
13    - attack.privilege-escalation
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith: '\SysmonEOP.exe'
20    selection_hash:
21        Hashes|contains:
22            - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
23            - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
24    condition: 1 of selection_*
25falsepositives:
26    - Unlikely
27level: critical

References

GitHub - Wh04m1001/SysmonEoP

Contribute to Wh04m1001/SysmonEoP development by creating an account on GitHub.

Read More

HackTool - SysmonEOP Execution

Sigma rule (View on GitHub)

References

GitHub - Wh04m1001/SysmonEoP

Related rules