attack.t1210

Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

Nov 27, 2023 · cve.2023.46214 detection.emerging_threats attack.lateral_movement attack.t1210 ·

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Potential CVE-2023-46214 Exploitation Attempt

Nov 27, 2023 · attack.lateral_movement attack.t1210 cve.2023.46214 detection.emerging_threats ·

Share on:

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Possible Exploitation of Exchange RCE CVE-2021-42321

Oct 26, 2023 · attack.lateral_movement attack.t1210 detection.emerging_threats ·

Share on:

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

OMIGOD HTTP No Authentication RCE

Oct 18, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.lateral_movement attack.t1068 attack.t1190 attack.t1203 attack.t1021.006 attack.t1210 ·

Share on:

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

WannaCry Ransomware Activity

Oct 18, 2023 · attack.lateral_movement attack.t1210 attack.discovery attack.t1083 attack.defense_evasion attack.t1222.001 attack.impact attack.t1486 attack.t1490 detection.emerging_threats ·

Share on:

Detects WannaCry ransomware activity

Audit CVE Event

Oct 17, 2023 · attack.execution attack.t1203 attack.privilege_escalation attack.t1068 attack.defense_evasion attack.t1211 attack.credential_access attack.t1212 attack.lateral_movement attack.t1210 attack.impact attack.t1499.004 ·

Share on:

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Suspicious SysAidServer Child

Oct 17, 2023 · attack.lateral_movement attack.t1210 ·

Share on:

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Apache Threading Error

Aug 28, 2023 · attack.initial_access attack.lateral_movement attack.t1190 attack.t1210 ·

Share on:

Detects an issue in apache logs that reports threading related errors

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

May 2, 2023 · attack.lateral_movement attack.t1210 car.2013-07-002 ·

Share on:

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Potential RDP Exploit CVE-2019-0708

Apr 14, 2023 · attack.lateral_movement attack.t1210 car.2013-07-002 ·

Share on:

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Zerologon Exploitation Using Well-known Tools

Apr 14, 2023 · attack.t1210 attack.lateral_movement ·

Share on:

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Terminal Service Process Spawn

Mar 5, 2023 · attack.initial_access attack.t1190 attack.lateral_movement attack.t1210 car.2013-07-002 ·

Share on:

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Execution of ZeroLogon PoC executable

Jan 8, 2023 · attack.execution attack.lateral_movement attack.T1210 ·

Share on:

Detects the execution of the commonly used ZeroLogon PoC executable.

Abuse of the Windows Server Update Services (WSUS) for lateral movement.

Oct 7, 2022 · attack.execution attack.lateral_movement attack.T1210 ·

Share on:

Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.