From 17dcad456f723cc207e524e28bf43efe375c8be8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Dec 2024 21:44:55 +0100 Subject: [PATCH] Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation new: CVE-2024-50623 Exploitation Attempt - Cleo update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords --------- Co-authored-by: Nasreddine Bencherchali --- ...eation_win_exploit_cve_2024_50623_cleo.yml | 33 +++++++++++++++++++ ..._webshell_recon_commands_and_processes.yml | 16 +++++++-- 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml new file mode 100644 index 000000000..d6b0692c9 --- /dev/null +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml @@ -0,0 +1,33 @@ +title: CVE-2024-50623 Exploitation Attempt - Cleo +id: f007b877-02e3-45b7-8501-1b78c2864029 +status: experimental +description: | + Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. +references: + - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson +date: 2024-12-09 +tags: + - attack.execution + - attack.t1190 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\javaw.exe' + ParentCommandLine|contains: + - 'Harmony' + - 'lexicom' + - 'VersaLex' + - 'VLTrader' + Image|endswith: '\cmd.exe' + CommandLine|contains: + - 'powershell' + - ' -enc ' + - ' -EncodedCommand' + - '.Download' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 96feead4e..b2ee15af6 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -5,9 +5,10 @@ description: Detects certain command line parameters often used during reconnais references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community + - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson date: 2017-01-01 -modified: 2022-05-13 +modified: 2024-12-14 tags: - attack.persistence - attack.t1505.003 @@ -58,6 +59,17 @@ detection: selection_susp_wmic_utility: OriginalFileName: 'wmic.exe' CommandLine|contains: ' /node:' + selection_susp_powershell_cli: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains: + - ' -enc ' + - ' -EncodedCommand ' + - ' -w hidden ' + - ' -windowstyle hidden' + - '.WebClient).Download' selection_susp_misc_discovery_binaries: - Image|endswith: - '\dsquery.exe'