Detection rules › Sigma

Potential CVE-2023-21554 QueueJumper Exploitation

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)

Event coverage

Rule body yaml

title: Potential CVE-2023-21554 QueueJumper Exploitation
id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
status: test
description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
references:
    - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-12
tags:
    - attack.privilege-escalation
    - attack.execution
    - cve.2023-21554
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\Windows\System32\mqsvc.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wsl.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    ParentImage|endswith: '\Windows\System32\mqsvc.exe'
    Image|endswith:
        - '\cmd.exe'
        - '\cscript.exe'
        - '\mshta.exe'
        - '\powershell.exe'
        - '\pwsh.exe'
        - '\regsvr32.exe'
        - '\rundll32.exe'
        - '\schtasks.exe'
        - '\wmic.exe'
        - '\wscript.exe'
        - '\wsl.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cmd.exe corpus 134 (sigma 134)
  • \cscript.exe corpus 76 (sigma 76)
  • \mshta.exe corpus 69 (sigma 69)
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \regsvr32.exe corpus 68 (sigma 68)
  • \rundll32.exe corpus 103 (sigma 103)
  • \schtasks.exe corpus 57 (sigma 57)
  • \wmic.exe corpus 61 (sigma 61)
  • \wscript.exe corpus 78 (sigma 78)
  • \wsl.exe corpus 11 (sigma 11)
ParentImageends_with
  • \Windows\System32\mqsvc.exe