Matched rule: SUSP_Doc_W ordXMLRels _May22 dat e = 2022-0 5-30, auth or = Tobia s Michalsk i, Christi an Burkard, Wojciech Cieslak, descriptio n = Detect s a suspic ious patte rn in docx document. Source: document.x ml.rels, t ype: SAMPL E Matched rule: EXPL_Folli na_CVE_202 2_30190_Ms dt_MSProto colURI_May 22 date =, author = Tobias Mi chalski, C hristian B urkard, de scription = Detects the malici ous usage of the ms- msdt URI a s seen in CVE-2022-3 0190 / Fol lina explo itation, r eference = oublepulsa r.com/foll ina-a-micr osoft-offi ce-code-ex ecution-vu lnerabilit y-1a47fce5 629e, scor e =, modi fied = 202 2-05-31, h ash = 4a24 048f81afbe 9fb62e7a6a 49adbd1faf 41f266b5f9 feecdceb56 7aec096784 Yara signature match Source: dump.pcap, type: PCA P TCP traffic detected without corresponding DNS query: 101.33.231. Network traffic detected: HTTP traff ic on port 62563 -> 49181Ĭonnects to IPs without corresponding DNS lookups Source: unknown Network traffic detected: HTTP traff ic on port 49181 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49180 Network traffic detected: HTTP traff ic on port 49180 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49179 Network traffic detected: HTTP traff ic on port 49179 -> 62563
Network traffic detected: HTTP traff ic on port 62563 -> 49178 Network traffic detected: HTTP traff ic on port 49178 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49177 Network traffic detected: HTTP traff ic on port 49177 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49176 Network traffic detected: HTTP traff ic on port 49176 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49175 Network traffic detected: HTTP traff ic on port 49175 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49174 Network traffic detected: HTTP traff ic on port 49174 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49173 Network traffic detected: HTTP traff ic on port 49173 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49172 Network traffic detected: HTTP traff ic on port 49172 -> 62563 Network traffic detected: HTTP traff ic on port 62563 -> 49171
Network traffic detected: HTTP traff ic on port 49171 -> 62563 Uses known network protocols on non-standard ports Source: unknown Yara detected Microsoft Office Exploit Follina / CVE-2022-30190Ĭ:\Users\u ser\AppDat a\Local\Mi crosoft\Wi ndows\Temp orary Inte rnet Files \Content.M SO\42A30EF B.htmĬ:\Users\u ser\AppDat a\Local\Mi crosoft\Wi ndows\Temp orary Inte rnet Files \Content.I E5\ZAE7RW1 P\exploit.htm C:\Users\u ser\AppDat a\Local\Mi crosoft\Wi ndows\Temp orary Inte rnet Files \Content.M SO\6B087DC 1.htmĮXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22ĭetects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation
0 kommentar(er)
