From c2da93b6c10b940d26c9e9b6095892b6f7b39fa0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 21 Apr 2023 01:09:51 +0200 Subject: [PATCH 1/3] feat: new rules related to queuejumer --- .../msmq/win_msmq_corrupted_packet.yml | 22 +++++++++++++++ ...system_service_terminated_unexpectedly.yml | 28 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml create mode 100644 rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml diff --git a/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml b/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml new file mode 100644 index 000000000..e3c7217bc --- /dev/null +++ b/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml @@ -0,0 +1,22 @@ +title: MSMQ Corrupted Packet Encountered +id: ae94b10d-fee9-4767-82bb-439b309d5a27 +status: experimental +description: Detects corrupted packets sent to the MSMQ service. Could potentially a sign of CVE-2023-21554 exploitation +references: + - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/21 +tags: + - attack.execution +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'MSMQ' + EventID: 2027 + Level: 2 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml new file mode 100644 index 000000000..c4c601d7f --- /dev/null +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -0,0 +1,28 @@ +title: Important Windows Service Terminated With Unexpectedly +id: 56abae0c-6212-4b97-adc0-0b559bb950c3 +status: experimental +description: Detects important or interesting windows services that got terminated unexpectedly. +references: + - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/14 +tags: + - attack.defense_evasion +logsource: + product: windows + service: system +detection: + selection_eid: + Provider_Name: 'Service Control Manager' + EventID: 7023 # The X service terminated unexpectedly. It has done this Y time(s). + selection_name: + # Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different + - param1|contains: 'Message Queuing' + # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name. + - Binary|contains: + - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case + - '6d0073006d007100' # msmq + condition: all of selection_* +falsepositives: + - Rare false positives could occur since service termination could happen due to multiple reasons +level: high From e3297947624a30f81da0f20bfb29558e70732a8c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 21 Apr 2023 01:21:40 +0200 Subject: [PATCH 2/3] fix: wrong eid --- .../win_system_service_terminated_unexpectedly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index c4c601d7f..d84230c97 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -14,7 +14,7 @@ logsource: detection: selection_eid: Provider_Name: 'Service Control Manager' - EventID: 7023 # The X service terminated unexpectedly. It has done this Y time(s). + EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s). selection_name: # Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different - param1|contains: 'Message Queuing' From 2d960a079abc3d9b7f03b9d68bc6130c7841acf3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 21 Apr 2023 14:45:16 +0200 Subject: [PATCH 3/3] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../builtin/application/msmq/win_msmq_corrupted_packet.yml | 2 +- .../win_system_service_terminated_unexpectedly.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml b/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml index e3c7217bc..d5d0cd051 100644 --- a/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml +++ b/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml @@ -1,7 +1,7 @@ title: MSMQ Corrupted Packet Encountered id: ae94b10d-fee9-4767-82bb-439b309d5a27 status: experimental -description: Detects corrupted packets sent to the MSMQ service. Could potentially a sign of CVE-2023-21554 exploitation +description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index d84230c97..ecf75354e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -1,4 +1,4 @@ -title: Important Windows Service Terminated With Unexpectedly +title: Important Windows Service Terminated Unexpectedly id: 56abae0c-6212-4b97-adc0-0b559bb950c3 status: experimental description: Detects important or interesting windows services that got terminated unexpectedly.