Suspicious Child Process Of Manage Engine ServiceDesk

 1title: Suspicious Child Process Of Manage Engine ServiceDesk
 2id: cea2b7ea-792b-405f-95a1-b903ea06458f
 3status: test
 4description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
 5references:
 6    - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
 7    - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
 8    - https://blog.viettelcybersecurity.com/saml-show-stopper/
 9author: Florian Roth (Nextron Systems)
10date: 2023-01-18
11modified: 2023-08-29
12tags:
13    - attack.command-and-control
14    - attack.t1102
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|contains|all:
21            - '\ManageEngine\ServiceDesk\'
22            - '\java.exe'
23        Image|endswith:
24            - '\AppVLP.exe'
25            - '\bash.exe'
26            - '\bitsadmin.exe'
27            - '\calc.exe'
28            - '\certutil.exe'
29            - '\cscript.exe'
30            - '\curl.exe'
31            - '\forfiles.exe'
32            - '\mftrace.exe'
33            - '\mshta.exe'
34            - '\net.exe'
35            - '\net1.exe'
36            - '\notepad.exe'  # Often used in POCs
37            - '\powershell.exe'
38            - '\pwsh.exe'
39            - '\query.exe'
40            - '\reg.exe'
41            - '\schtasks.exe'
42            - '\scrcons.exe'
43            - '\sh.exe'
44            - '\systeminfo.exe'
45            - '\whoami.exe'  # Often used in POCs
46            - '\wmic.exe'
47            - '\wscript.exe'
48            # - '\hh.exe'
49            # - '\regsvr32.exe'
50            # - '\rundll32.exe'
51            # - '\scriptrunner.exe'
52    filter_main_net:
53        Image|endswith:
54            - '\net.exe'
55            - '\net1.exe'
56        CommandLine|contains: ' stop'
57    condition: selection and not 1 of filter_main_*
58falsepositives:
59    - Legitimate sub processes started by Manage Engine ServiceDesk Pro
60level: high

References

• ManageEngine CVE-2022-47966 Technical Deep Dive

  

  On January 10, 2023, ManageEngine released a security advisory for CVE-2022-47966 (discovered by Khoadha of Viettel Cyber Security) affecting a wide range of products. The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response. This vulnerability is a result of using an outdated version of Apache Santuario for XML signature validation.

  
  Read More

• CVE-2022-47966/CVE-2022-47966.py at 3a51c6b72ebbd87392babd955a8fbeaee2090b35 · horizon3ai/CVE-2022-47966

  

  POC for CVE-2022-47966 affecting multiple ManageEngine products - horizon3ai/CVE-2022-47966

  
  Read More

• CVE-2022-47966 SAML ShowStopper

  

  1. IntroductionSAML(Security Assertion Markup Language) & OIDC (OpenID Connect) is the two main SSO (Single-Sign-On) standards. While OIDC is more popular, SAML is mostly used by enterprise organization to authenticate employee. SAML depends on XML signatures & XML Encryption to check if the message come from identity provider (IdP)

  
  Read More

Related rules

• Communication To LocaltoNet Tunneling Service Initiated
• Communication To LocaltoNet Tunneling Service Initiated - Linux
• Communication To Ngrok Tunneling Service - Linux
• Communication To Ngrok Tunneling Service Initiated
• Network Connection Initiated To AzureWebsites.NET By Non-Browser Process