Wazuh Detection Rules for MS RCE CVE-2022–30190, “Follina”.

Intro

Detection Rules

<!-- MS RCE "Follina" Detection Rules -->
<!-- regsvr32 Spawned by MS-OFFICE Processes-->
<rule id="100506" level="13">
<if_sid>100160</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- rundll32 Spawned by MS-OFFICE Processes-->
<rule id="100507" level="13">
<if_sid>100110</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- msiexec,verclsid,msdt Spawned by MS-OFFICE Processes-->
<rule id="100508" level="13">
<if_sid>100135</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- mshta Spawned by MS-OFFICE Processes-->
<rule id="100509" level="13">
<if_sid>100163</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).