Emerging Threathightest
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Sat Jan 216d5b8176-d87d-4402-8af4-53aee9db7b5d2023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\svchost.exe'
ParentCommandLine|contains: '-k DHCPServer'
CommandLine|contains: '-k DHCPServer'
User|contains: # Covers many language settings for Network Service. Please expand.
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVIZIO DI RETE'
- 'SERVICIO DE RED'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
6d5b8176-d87d-4402-8af4-53aee9db7b5d
Status
test
Level
high
Type
Emerging Threat
Created
Sat Jan 21
Path
rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml
Raw Tags
attack.initial-accessattack.t1190detection.emerging-threats