diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml new file mode 100644 index 000000000..c82ecba5f --- /dev/null +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml @@ -0,0 +1,53 @@ +title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) +id: 0fdc7c7f-c690-4217-9ae3-31f5156eed72 +status: experimental +description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309. +references: + - https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/ + - https://pwn.guide/free/web/crushftp + - https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/ +author: Nisarg Suthar +date: 2025-08-01 +tags: + - attack.initial-access + - attack.execution + - attack.t1059.001 + - attack.t1059.003 + - attack.t1068 + - attack.t1190 + - cve.2025-54309 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\crushftp.exe' + selection_child_powershell: + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + - '\pwsh.exe' + CommandLine|contains|all: + - 'IEX' + - 'enc' + - 'Hidden' + - 'bypass' + selection_child_cmd: + Image|endswith: '\cmd.exe' + CommandLine|contains: + - '/c powershell' + - 'whoami' + - 'net.exe' + - 'net1.exe' + selection_child_others: + Image|endswith: + - '\bitsadmin.exe' + - '\certutil.exe' + - '\mshta.exe' + - '\cscript.exe' + - '\wscript.exe' + condition: selection_parent and 1 of selection_child_* +falsepositives: + - Legitimate administrative command execution +level: high