From e0f166aba22c8b12ca97b7cfbbdc78a170552de8 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 14 Jul 2021 08:35:25 +0200
Subject: [PATCH] rule: Serv-U exploitation

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
---
 ...susp_servu_exploitation_cve_2021_35211.yml | 29 +++++++++++++++
 .../win_susp_servu_process_pattern.yml        | 35 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
 create mode 100644 rules/windows/process_creation/win_susp_servu_process_pattern.yml

diff --git a/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
new file mode 100644
index 000000000..78f543acc
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
@@ -0,0 +1,29 @@
+title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
+id: 75578840-9526-4b2a-9462-af469a45e767
+status: experimental
+description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 
+author: Florian Roth
+date: 2021/07/14
+references:
+    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+logsource:
+    category: process_creation
+    product: windows
+tags:
+    - attack.persistence
+    - attack.t1136.001
+    - cve.2021-35211
+    - threat_group.DEV-0322
+detection:
+    selection1:
+        CommandLine|contains: 'whoami'
+    selection2:
+        CommandLine|contains:
+            - './Client/Common/'
+            - '.\Client\Common\'
+    selection3:
+        CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat'
+    condition: selection1 and selection2 or selection3
+falsepositives:
+    - Unlikely
+level: critical
diff --git a/rules/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/windows/process_creation/win_susp_servu_process_pattern.yml
new file mode 100644
index 000000000..aa18889b1
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_servu_process_pattern.yml
@@ -0,0 +1,35 @@
+title: Suspicious Serv-U Process Pattern
+id: 75578840-9526-4b2a-9462-af469a45e767
+status: experimental
+description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
+author: Florian Roth
+date: 2021/07/14
+references:
+    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+logsource:
+    category: process_creation
+    product: windows
+tags:
+    - cve.2021-35211
+detection:
+    selection:
+        ParentImage|endswith: '\Serv-U.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\schtasks.exe'
+            - '\regsvr32.exe'
+            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\msiexec.exe'
+            - '\forfiles.exe'
+            - '\scriptrunner.exe'
+    condition: selection
+falsepositives:
+    - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
+level: critical