Wazuh Detection Rules for MS RCE CVE-2022–30190, “Follina”.

Intro

References: Huntress Labs Blog

Microsoft CVE Info.

EDR: Wazuh agent + Sysmon with Mitre Enriched. Rules available in our Github Repo, rules file “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml”

Detection Rules

Child rules using “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml” and adding additional conditions for spawned processes:

<!-- MS RCE "Follina" Detection Rules -->
<!-- regsvr32 Spawned by MS-OFFICE Processes-->
<rule id="100506" level="13">
<if_sid>100160</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- rundll32 Spawned by MS-OFFICE Processes-->
<rule id="100507" level="13">
<if_sid>100110</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- msiexec,verclsid,msdt Spawned by MS-OFFICE Processes-->
<rule id="100508" level="13">
<if_sid>100135</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- mshta Spawned by MS-OFFICE Processes-->
<rule id="100509" level="13">
<if_sid>100163</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cleanse Salesforce Address Data using Cloud Dataprep by Trifacta

Vim Replace Visual Star

Put your chatbot where your headless CMS is

Constraints make us Creative — From Prototype to Production

READ/DOWNLOAD#!

Brixey — Responsive Architecture WordPress Theme [Latest Update & Pre-Licensed]

Looping in SASS

Sukhavati Testnet 3C Farming Tutorial (Windows & Linux)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

More from Medium

Enforcing Security in Web App Firewalls using Wazuh Active Response

Detection and hunting of Web shells

Cyberdefenders-Boss Of The SOC v1

Attack and Hunting Lateral Movement with Service Control Manager(SVCCTL)