From 35770c7035fa2d3c4cb0da2f7f7fd2e63450ea8e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 13 Apr 2022 19:18:15 +0200
Subject: [PATCH] rule: CVE-2022-23527 LPE

https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
---
 .../file_event_win_cve_2022_24527_lpe.yml     | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml

diff --git a/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml b/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml
new file mode 100644
index 000000000..263f1dec7
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml
@@ -0,0 +1,27 @@
+title: CVE-2022-23527 Microsoft Connected Cache LPE
+id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
+description: Detects files created during the local privilege exploitation of CVE-2022-23527 Microsoft Connected Cache
+author: Florian Roth
+status: experimental
+references:
+   - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
+date: 2022/04/13
+tags:
+   - attack.execution
+   - attack.privilege_escalation
+   - attack.t1587
+   - cve.2022.24527
+logsource:
+   category: file_event
+   product: windows
+detection:
+   selection:
+      TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
+   filter:
+      User|contains: 
+         - 'AUTHORI'
+         - 'AUTORI'
+   condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high