Sigma rules for CVE-2007-5348
104 rules · scoped to cve · back to CVE-2007-5348
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployService.exe'
- ServiceName:
- 'PDQDeploy'
- 'PDQ Deploy'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
- attack.lateral-movement
- attack.t1550.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: "LsaSrv"
EventID:
- 6038
- 6039
condition: selection
falsepositives:
- Environments that use NTLMv1
level: medium
title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
- https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
- attack.discovery
- attack.t1482
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|startswith: '_ldap.'
filter_main_generic:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\'
filter_main_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_unknown:
Image: '<unknown process>'
filter_optional_azure:
Image|startswith: 'C:\WindowsAzure\GuestAgent'
filter_main_null:
Image: null
filter_optional_browsers:
# Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
# Note: Incrase the level once a baseline is established
level: low
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
status: test
description: Detects failed logon attempts from clients to MSSQL server.
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023-10-11
modified: 2024-06-26
tags:
- attack.credential-access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
condition: selection
falsepositives:
- This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low