Sigma rules · CVE-2023-30843

Home/CVE-2023-30843/Sigma rules

Sigma

Sigma rules for CVE-2023-30843

5 rules · scoped to cve · back to CVE-2023-30843

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

5 of 5

direct high

Scheduled Task Executing Encoded Payload from Registry

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

status test author pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 license Sigma · DRL-1.1

view Sigma YAML

title: Scheduled Task Executing Encoded Payload from Registry
id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
status: test
description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-12
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_create:
        CommandLine|contains: '/Create'
    selection_cli_encoding:
        CommandLine|contains:
            - 'FromBase64String'
            - 'encodedcommand'
    selection_cli_get:
        CommandLine|contains:
            - 'Get-ItemProperty'
            - ' gp ' # Alias
    selection_cli_hive:
        CommandLine|contains:
            - 'HKCU:'
            - 'HKLM:'
            - 'registry::'
            - 'HKEY_'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

direct high

VBScript Payload Stored in Registry

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

status test author Florian Roth (Nextron Systems) id 46490193-1b22-4c29-bdd6-5bf63907216f license Sigma · DRL-1.1

view Sigma YAML

title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
        Details|contains:
            - 'vbscript:'
            - 'jscript:'
            - 'mshtml,'
            - 'RunHTMLApplication'
            - 'Execute('
            - 'CreateObject'
            - 'window.close'
    filter:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
    filter_dotnet:
        Image|endswith: '\msiexec.exe'
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
        Details|contains:
            - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
            - '<\Microsoft.mshtml,fileVersion='
            - '_mshtml_dll_'
            - '<\Microsoft.mshtml,culture='
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high

direct high

Java Payload Strings

Detects possible Java payloads in web access logs

status test author frack113, Harjot Singh, "@cyb3rjy0t" (update) id 583aa0a2-30b1-4d62-8bf3-ab73689efe6c license Sigma · DRL-1.1

view Sigma YAML

title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
    - https://twitter.com/httpvoid0x2f/status/1532924261035384832
    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
    - cve.2022-26134
    - cve.2021-26084
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '%24%7B%28%23a%3D%40'
        - '${(#a=@'
        - '%24%7B%40java'
        - '${@java'
        - 'u0022java'
        - '%2F%24%7B%23'
        - '/${#'
        - 'new+java.'
        - 'getRuntime().exec('
        - 'getRuntime%28%29.exec%28'
    condition: keywords
falsepositives:
    - Legitimate apps
level: high

direct medium

Payload Decoded and Decrypted via Built-in Utilities

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

status test author Tim Rauch (rule), Elastic (idea) id 234dc5df-40b5-49d1-bf53-0d44ce778eca license Sigma · DRL-1.1

view Sigma YAML

title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.stealth
    - attack.t1059
    - attack.t1204
    - attack.execution
    - attack.t1140
    - attack.s0482
    - attack.s0402
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/openssl'
        CommandLine|contains|all:
            - '/Volumes/'
            - 'enc'
            - '-base64'
            - ' -d '
    condition: selection
falsepositives:
    - Unknown
level: medium

direct medium

Scheduled Task Executing Payload from Registry

Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.

status test author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 86588b36-c6d3-465f-9cee-8f9093e07798 license Sigma · DRL-1.1

view Sigma YAML

title: Scheduled Task Executing Payload from Registry
id: 86588b36-c6d3-465f-9cee-8f9093e07798
related:
    - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
      type: derived
status: test
description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_create:
        CommandLine|contains: '/Create'
    selection_cli_get:
        CommandLine|contains:
            - 'Get-ItemProperty'
            - ' gp ' # Alias
    selection_cli_hive:
        CommandLine|contains:
            - 'HKCU:'
            - 'HKLM:'
            - 'registry::'
            - 'HKEY_'
    filter_main_encoding:
        CommandLine|contains:
            - 'FromBase64String'
            - 'encodedcommand'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

Showing 1-5 of 5

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin