Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Serv-U Process Pattern

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Wed Jul 14Updated Thu Jul 1458f4ea09-0fc2-4520-ba18-b85c540b0eafwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ParentImage|endswith: '\Serv-U.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\forfiles.exe'
            - '\scriptrunner.exe'
    condition: selection
False Positives

Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution

References
1
Resolving title…
microsoft.com
MITRE ATT&CK

Other

cve.2021-35211
Rule Metadata
Rule ID
58f4ea09-0fc2-4520-ba18-b85c540b0eaf
Status
test
Level
high
Type
Detection
Created
Wed Jul 14
Modified
Thu Jul 14
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml
Raw Tags
attack.credential-accessattack.t1555cve.2021-35211
View on GitHub