Suspicious Child Process Of Manage Engine ServiceDesk
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
Sigma rule (View on GitHub)
1title: Suspicious Child Process Of Manage Engine ServiceDesk
2id: cea2b7ea-792b-405f-95a1-b903ea06458f
3status: test
4description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
5references:
6 - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
7 - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
8 - https://blog.viettelcybersecurity.com/saml-show-stopper/
9author: Florian Roth (Nextron Systems)
10date: 2023-01-18
11modified: 2023-08-29
12tags:
13 - attack.command-and-control
14 - attack.t1102
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|contains|all:
21 - '\ManageEngine\ServiceDesk\'
22 - '\java.exe'
23 Image|endswith:
24 - '\AppVLP.exe'
25 - '\bash.exe'
26 - '\bitsadmin.exe'
27 - '\calc.exe'
28 - '\certutil.exe'
29 - '\cscript.exe'
30 - '\curl.exe'
31 - '\forfiles.exe'
32 - '\mftrace.exe'
33 - '\mshta.exe'
34 - '\net.exe'
35 - '\net1.exe'
36 - '\notepad.exe' # Often used in POCs
37 - '\powershell.exe'
38 - '\pwsh.exe'
39 - '\query.exe'
40 - '\reg.exe'
41 - '\schtasks.exe'
42 - '\scrcons.exe'
43 - '\sh.exe'
44 - '\systeminfo.exe'
45 - '\whoami.exe' # Often used in POCs
46 - '\wmic.exe'
47 - '\wscript.exe'
48 # - '\hh.exe'
49 # - '\regsvr32.exe'
50 # - '\rundll32.exe'
51 # - '\scriptrunner.exe'
52 filter_main_net:
53 Image|endswith:
54 - '\net.exe'
55 - '\net1.exe'
56 CommandLine|contains: ' stop'
57 condition: selection and not 1 of filter_main_*
58falsepositives:
59 - Legitimate sub processes started by Manage Engine ServiceDesk Pro
60level: high
References
Related rules
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux