HackTool - SysmonEOP Execution

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Sigma rule (View on GitHub)

 1title: HackTool - SysmonEOP Execution
 2id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
 3status: test
 4description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
 5references:
 6    - https://github.com/Wh04m1001/SysmonEoP
 7author: Florian Roth (Nextron Systems)
 8date: 2022-12-04
 9modified: 2024-04-15
10tags:
11    - cve.2022-41120
12    - attack.t1068
13    - attack.privilege-escalation
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith: '\SysmonEOP.exe'
20    selection_hash:
21        - Hashes|contains:
22              - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
23              - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
24        - Imphash:
25              - '22f4089eb8aba31e1bb162c6d9bf72e5'
26              - '5123fa4c4384d431cd0d893eeb49bbec'
27    condition: 1 of selection_*
28falsepositives:
29    - Unlikely
30level: critical

References

Related rules

to-top