-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
fix: EVTX Created In Uncommon Location - Reduce level and remove filters fix: Files With System Process Name In Unsuspected Locations - Add additional paths fix: New RUN Key Pointing to Suspicious Folder new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection new: MaxMpxCt Registry Value Changed update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
- Loading branch information
1 parent
0d63f52
commit f0395b8
Showing
10 changed files
with
129 additions
and
72 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection | ||
id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15 | ||
status: experimental | ||
description: | | ||
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. | ||
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character. | ||
references: | ||
- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py | ||
- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/03/20 | ||
tags: | ||
- attack.initial_access | ||
- cve.2024.1212 | ||
logsource: | ||
category: webserver | ||
detection: | ||
selection_path: | ||
cs-method: 'GET' | ||
cs-uri-stem|contains|all: | ||
- '/access/set' | ||
- 'param=enableapi' | ||
- 'value=1' | ||
selection_keywords: | ||
- 'Basic Jz' | ||
- 'Basic c7' | ||
- 'Basic nO' | ||
- "Basic ';" | ||
condition: all of selection_* | ||
falsepositives: | ||
- Unlikely | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
title: MaxMpxCt Registry Value Changed | ||
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e | ||
status: experimental | ||
description: | | ||
Detects changes to the "MaxMpxCt" registry value. | ||
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. | ||
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. | ||
references: | ||
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps | ||
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware | ||
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 | ||
- https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/03/19 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1070.005 | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
selection: | ||
TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt' | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: low |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters