security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rule: Serv-U exploitation

Browse Source 
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
This commit is contained in:
Florian Roth
2021-07-14 08:35:25 +02:00
parent 5e7f1f3a36
commit e0f166aba2
2 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
+29
View File
@@ -0,0 +1,29 @@
title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
id: 75578840-9526-4b2a-9462-af469a45e767
status: experimental
description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
author: Florian Roth
date: 2021/07/14
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
logsource:
category: process_creation
product: windows
tags:
- attack.persistence
- attack.t1136.001
- cve.2021-35211
- threat_group.DEV-0322
detection:
selection1:
CommandLine|contains: 'whoami'
selection2:
CommandLine|contains:
- './Client/Common/'
- '.\Client\Common\'
selection3:
CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat'
condition: selection1 and selection2 or selection3
falsepositives:
- Unlikely
level: critical
rules/windows/process_creation/win_susp_servu_process_pattern.yml
+35
View File
@@ -0,0 +1,35 @@
title: Suspicious Serv-U Process Pattern
id: 75578840-9526-4b2a-9462-af469a45e767
status: experimental
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
author: Florian Roth
date: 2021/07/14
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
logsource:
category: process_creation
product: windows
tags:
- cve.2021-35211
detection:
selection:
ParentImage|endswith: '\Serv-U.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
condition: selection
falsepositives:
- Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: critical