security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4187 from nasbench/queuejumper-rules

Browse Source 
feat: new rules related to queuejumper
This commit is contained in:
Nasreddine Bencherchali
2023-04-21 14:54:12 +02:00
committed by GitHub
parent faf78e1301 2d960a079a
commit f42d6dcbed
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml
+22
View File
@@ -0,0 +1,22 @@
title: MSMQ Corrupted Packet Encountered
id: ae94b10d-fee9-4767-82bb-439b309d5a27
status: experimental
description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
references:
- https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/04/21
tags:
- attack.execution
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MSMQ'
EventID: 2027
Level: 2
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml
+28
View File
@@ -0,0 +1,28 @@
title: Important Windows Service Terminated Unexpectedly
id: 56abae0c-6212-4b97-adc0-0b559bb950c3
status: experimental
description: Detects important or interesting windows services that got terminated unexpectedly.
references:
- https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/04/14
tags:
- attack.defense_evasion
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s).
selection_name:
# Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different
- param1|contains: 'Message Queuing'
# Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
- Binary|contains:
- '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case
- '6d0073006d007100' # msmq
condition: all of selection_*
falsepositives:
- Rare false positives could occur since service termination could happen due to multiple reasons
level: high