Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo …

…exploitation new: CVE-2024-50623 Exploitation Attempt - Cleo update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords --------- Co-authored-by: Nasreddine Bencherchali <[email protected]>
SigmaHQ · Dec 14, 2024 · 17dcad4 · 17dcad4
1 parent 957c1fc
commit 17dcad4
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/...ng-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/...ng-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
@@ -0,0 +1,33 @@
+title: CVE-2024-50623 Exploitation Attempt - Cleo
+id: f007b877-02e3-45b7-8501-1b78c2864029
+status: experimental
+description: |
+    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+date: 2024-12-09
+tags:
+    - attack.execution
+    - attack.t1190
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\javaw.exe'
+        ParentCommandLine|contains:
+            - 'Harmony'
+            - 'lexicom'
+            - 'VersaLex'
+            - 'VLTrader'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'powershell'
+            - ' -enc '
+            - ' -EncodedCommand'
+            - '.Download'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml
@@ -5,9 +5,10 @@ description: Detects certain command line parameters often used during reconnais
 references:
     - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
     - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
-author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
 date: 2017-01-01
-modified: 2022-05-13
+modified: 2024-12-14
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -58,6 +59,17 @@ detection:
     selection_susp_wmic_utility:
         OriginalFileName: 'wmic.exe'
         CommandLine|contains: ' /node:'
+    selection_susp_powershell_cli:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        CommandLine|contains:
+            - ' -enc '
+            - ' -EncodedCommand '
+            - ' -w hidden '
+            - ' -windowstyle hidden'
+            - '.WebClient).Download'
     selection_susp_misc_discovery_binaries:
         - Image|endswith:
               - '\dsquery.exe'