Merge pull request #1706 from BlackB0lt/patch-12

Create sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
2024-11-07 17:58:52 +00:00 · 2021-07-17 09:46:35 +02:00 · 2021-07-17 09:46:35 +02:00 · 56ae1938af
commit 56ae1938af
parent 3967240818 d3a1fb8565
1 changed files with 50 additions and 0 deletions
--- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
@ -0,0 +1,50 @@
+action: global
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
+status: experimental
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+author: Sittikorn S
+date: 2021/07/16
+references:
+    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+tags:
+    - attack.credential_access
+    - attack.t1566
+    - attack.t1203
+    - cve.2021-33771
+    - cve.2021-31979
+    - threat_group.Sourgum
+falsepositives:
+    - Unlikely
+level: critical
+---
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFileName|contains:
+            - 'C:\Windows\system32\physmem.sys'
+            - 'C:\Windows\System32\IME\IMEJP\imjpueact.dll'
+            - 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'
+            - 'C:\Windows\system32\ime\SHARED\imecpmeid.dll'
+            - 'C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat'
+            - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat'
+            - 'C:\Windows\system32\config\config\startwus.dat'
+            - 'C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini'
+            - 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
+            - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
+    condition: selection
+---
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains: 
+            - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32'
+            - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32'
+    keywords:
+        - IMJPUEXP.DLL
+    condition: selection and keywords