Sigma rules for CVE-2018-20699
3 rules · scoped to cve · back to CVE-2018-20699
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Child Process Of Manage Engine ServiceDesk
id: cea2b7ea-792b-405f-95a1-b903ea06458f
status: test
description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
references:
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
- https://blog.viettelcybersecurity.com/saml-show-stopper/
author: Florian Roth (Nextron Systems)
date: 2023-01-18
modified: 2023-08-29
tags:
- attack.command-and-control
- attack.t1102
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains|all:
- '\ManageEngine\ServiceDesk\'
- '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\notepad.exe' # Often used in POCs
- '\powershell.exe'
- '\pwsh.exe'
- '\query.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe' # Often used in POCs
- '\wmic.exe'
- '\wscript.exe'
# - '\hh.exe'
# - '\regsvr32.exe'
# - '\rundll32.exe'
# - '\scriptrunner.exe'
filter_main_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' stop'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate sub processes started by Manage Engine ServiceDesk Pro
level: high
title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
- id: 6c82cf5c-090d-4d57-9188-533577631108
type: similar
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1211
- attack.t1685
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high
title: Microsoft Malware Protection Engine Crash - WER
id: 6c82cf5c-090d-4d57-9188-533577631108
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1211
- attack.t1685
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Windows Error Reporting'
EventID: 1001
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high