Skip to content

feat: Suspicious CrushFTP Child Process #5261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Suspicious CrushFTP Child Process #5261

wants to merge 2 commits into from
+64 −0

Conversation

swachchhanda000
Copy link
Contributor

Summary of the Pull Request

I have updated the sigma rule shared by Huntress blog post
https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation

Original Sigma rule:
https://gist.github.com/JohnHammond/a22bf3103eeb0f985cf1cef4d3fc849f#file-win_proc_creation_shell_child_process_crushftp-yml

Changelog

new: Suspicious CrushFTP Child Process

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113
frack113 approved these changes Apr 12, 2025
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nasbench
nasbench requested changes Apr 15, 2025
View reviewed changes
...ing-threats/2025/Exploits/CVE-2025-31161/proc_creation_win_crushftp_susp_child_processes.yml
falsepositives:
- Legitimate CrushFTP administrative actions
- Software updates
level: high
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this high whereas the original rule is medium? Also why add 70 other processes? Just add shell processes and some of the common scripting ones. No need for a huge list.

Also probably the cmd / powershell stuff can be legit (hence why it was put to medium).

Please fix that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, in the original rule, the severity was set to medium, but the false positive rate was unknown. If there had been any known false positives, I believe they would have mentioned them. That's why I decided to bump the level up to high.

As for the other processes I included, I added them because they allow proxy execution, and nowadays threat actors are heavily leveraging that technique to bypass the normal detection logic

@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench requested changes

@frack113 frack113 frack113 approved these changes

Assignees
No one assigned
Labels
Author Input Required changes the require information from original author of the rules Emerging-Threats Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swachchhanda000 @nasbench @frack113