Suspicious Serv-U Process Pattern

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Sigma rule (View on GitHub)

 1title: Suspicious Serv-U Process Pattern
 2id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
 3status: test
 4description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 7author: Florian Roth (Nextron Systems)
 8date: 2021-07-14
 9modified: 2022-07-14
10tags:
11    - attack.credential-access
12    - attack.t1555
13    - cve.2021-35211
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\Serv-U.exe'
20        Image|endswith:
21            - '\cmd.exe'
22            - '\powershell.exe'
23            - '\pwsh.exe'
24            - '\wscript.exe'
25            - '\cscript.exe'
26            - '\sh.exe'
27            - '\bash.exe'
28            - '\schtasks.exe'
29            - '\regsvr32.exe'
30            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
31            - '\mshta.exe'
32            - '\rundll32.exe'
33            - '\msiexec.exe'
34            - '\forfiles.exe'
35            - '\scriptrunner.exe'
36    condition: selection
37falsepositives:
38    - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
39level: high

References

Related rules

to-top