Jun 1, 2022
1 min read
Wazuh Detection Rules for MS RCE CVE-2022–30190, “Follina”.
Intro
References: Huntress Labs Blog
Microsoft CVE Info.
EDR: Wazuh agent + Sysmon with Mitre Enriched. Rules available in our Github Repo, rules file “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml”
Detection Rules
Child rules using “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml” and adding additional conditions for spawned processes:
<!-- MS RCE "Follina" Detection Rules -->
<!-- regsvr32 Spawned by MS-OFFICE Processes-->
<rule id="100506" level="13">
<if_sid>100160</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- rundll32 Spawned by MS-OFFICE Processes-->
<rule id="100507" level="13">
<if_sid>100110</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- msiexec,verclsid,msdt Spawned by MS-OFFICE Processes-->
<rule id="100508" level="13">
<if_sid>100135</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- mshta Spawned by MS-OFFICE Processes-->
<rule id="100509" level="13">
<if_sid>100163</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Platform Demo: https://www.socfortress.co/demo_access.html
