From 1c49eddce96595d91dc835e49710fd45a19b8ef4 Mon Sep 17 00:00:00 2001 From: RG9n <79008547+RG9n@users.noreply.github.com> Date: Fri, 11 Apr 2025 18:07:28 -0400 Subject: [PATCH 1/8] Create proc_creation_win_centrestack_portal_rce.yml --- ...oc_creation_win_centrestack_portal_rce.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml diff --git a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml new file mode 100644 index 00000000000..53920901cf7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml @@ -0,0 +1,31 @@ +title: Suspicious Process Spawn by CentreStack Portal AppPool +id: 2d79e371-2a27-42de-87a4-b4213fc72a6a +status: experimental +description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) +author: Jason Rathbun (Blackpoint Cyber) +date: 2025-04-11 +logsource: + category: process_creation + product: windows +detection: + parent: + Image|endswith: '\w3wp.exe' + CommandLine|contains: '\portal\portal.config' + child: + Image|endswith: '\cmd.exe' + condition: parent and child +fields: + - Image + - ParentImage + - CommandLine + - ParentCommandLine + - ProcessId + - ParentProcessId +falsepositives: + - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal +level: high +tags: + - attack.execution + - attack.t1059.003 + - attack.t1505.003 + - cve.2025-30406 From 012336cba79859ffc30b3a6076a8db6b1c3296a4 Mon Sep 17 00:00:00 2001 From: RG9n <79008547+RG9n@users.noreply.github.com> Date: Fri, 11 Apr 2025 18:16:10 -0400 Subject: [PATCH 2/8] Update proc_creation_win_centrestack_portal_rce.yml formatting fix From 4f2eba6081e9d08f7e20616300bfebaa75de4c1d Mon Sep 17 00:00:00 2001 From: RG9n <79008547+RG9n@users.noreply.github.com> Date: Fri, 11 Apr 2025 18:20:47 -0400 Subject: [PATCH 3/8] Update proc_creation_win_centrestack_portal_rce.yml indentation adjustment --- ...oc_creation_win_centrestack_portal_rce.yml | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml index 53920901cf7..643176cf5f8 100644 --- a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml +++ b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml @@ -5,27 +5,27 @@ description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe author: Jason Rathbun (Blackpoint Cyber) date: 2025-04-11 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - parent: - Image|endswith: '\w3wp.exe' - CommandLine|contains: '\portal\portal.config' - child: - Image|endswith: '\cmd.exe' - condition: parent and child + parent: + Image|endswith: '\w3wp.exe' + CommandLine|contains: '\portal\portal.config' + child: + Image|endswith: '\cmd.exe' + condition: parent and child fields: - - Image - - ParentImage - - CommandLine - - ParentCommandLine - - ProcessId - - ParentProcessId + - Image + - ParentImage + - CommandLine + - ParentCommandLine + - ProcessId + - ParentProcessId falsepositives: - - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal + - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal level: high tags: - - attack.execution - - attack.t1059.003 - - attack.t1505.003 - - cve.2025-30406 + - attack.execution + - attack.t1059.003 + - attack.t1505.003 + - cve.2025-30406 From 677cdd0f65ececd6bc75218d56f5e7935a6c00ff Mon Sep 17 00:00:00 2001 From: RG9n <79008547+RG9n@users.noreply.github.com> Date: Mon, 14 Apr 2025 12:13:29 -0400 Subject: [PATCH 4/8] Update proc_creation_win_centrestack_portal_rce.yml changes recommended by frack113, added Parent in front of parent image and commanline --- .../proc_creation_win_centrestack_portal_rce.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml index 643176cf5f8..ccc8e3bf320 100644 --- a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml +++ b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml @@ -9,8 +9,8 @@ logsource: product: windows detection: parent: - Image|endswith: '\w3wp.exe' - CommandLine|contains: '\portal\portal.config' + ParentImage|endswith: '\w3wp.exe' + ParentCommandLine|contains: '\portal\portal.config' child: Image|endswith: '\cmd.exe' condition: parent and child From b663d4c05c0aca61def2d993794c468c56b05605 Mon Sep 17 00:00:00 2001 From: RG9n <79008547+RG9n@users.noreply.github.com> Date: Mon, 14 Apr 2025 14:56:10 -0400 Subject: [PATCH 5/8] Update proc_creation_win_centrestack_portal_rce.yml added some references and small fp update --- .../proc_creation_win_centrestack_portal_rce.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml index ccc8e3bf320..b6406d784d4 100644 --- a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml +++ b/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml @@ -3,6 +3,11 @@ id: 2d79e371-2a27-42de-87a4-b4213fc72a6a status: experimental description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) author: Jason Rathbun (Blackpoint Cyber) +references: + - https://nvd.nist.gov/vuln/detail/CVE-2025-30406 + - https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/ + - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf + - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/ date: 2025-04-11 logsource: category: process_creation @@ -14,15 +19,9 @@ detection: child: Image|endswith: '\cmd.exe' condition: parent and child -fields: - - Image - - ParentImage - - CommandLine - - ParentCommandLine - - ProcessId - - ParentProcessId + falsepositives: - - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal + - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal. As of 4/14, no false positives yet observed by Blackpoint Cyber. Cmd seems atypical from this service. level: high tags: - attack.execution From dc5add3a2533f577eb7cf38b790bf4e3fffb8265 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 17 Apr 2025 01:05:34 +0200 Subject: [PATCH 6/8] Update and rename proc_creation_win_centrestack_portal_rce.yml to proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml --- ...30406_centrestack_portal_child_process.yml | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) rename rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml => rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml (68%) diff --git a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml b/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml similarity index 68% rename from rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml rename to rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml index b6406d784d4..4437f8be84e 100644 --- a/rules/windows/process_creation/proc_creation_win_centrestack_portal_rce.yml +++ b/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml @@ -1,7 +1,8 @@ -title: Suspicious Process Spawn by CentreStack Portal AppPool +title: Suspicious Process Spawned by CentreStack Portal AppPool id: 2d79e371-2a27-42de-87a4-b4213fc72a6a status: experimental -description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) +description: | + Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) author: Jason Rathbun (Blackpoint Cyber) references: - https://nvd.nist.gov/vuln/detail/CVE-2025-30406 @@ -9,22 +10,20 @@ references: - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/ date: 2025-04-11 +tags: + - attack.execution + - attack.t1059.003 + - attack.t1505.003 + - cve.2025-30406 logsource: category: process_creation product: windows detection: - parent: + selection: ParentImage|endswith: '\w3wp.exe' ParentCommandLine|contains: '\portal\portal.config' - child: Image|endswith: '\cmd.exe' - condition: parent and child - + condition: selection falsepositives: - - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal. As of 4/14, no false positives yet observed by Blackpoint Cyber. Cmd seems atypical from this service. + - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal. level: high -tags: - - attack.execution - - attack.t1059.003 - - attack.t1505.003 - - cve.2025-30406 From f232c0f3096ac5a3712835e6e4f9d828fc7c43d3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 17 Apr 2025 01:05:59 +0200 Subject: [PATCH 7/8] Update proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml --- ...n_exploit_cve_2025_30406_centrestack_portal_child_process.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml b/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml index 4437f8be84e..0ccde96043f 100644 --- a/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml @@ -15,6 +15,7 @@ tags: - attack.t1059.003 - attack.t1505.003 - cve.2025-30406 + - detection.emerging-threats logsource: category: process_creation product: windows From abc3357f99f07bdfb1d22e010b05c6f487f8e6c2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 17 Apr 2025 01:06:34 +0200 Subject: [PATCH 8/8] Update proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml --- ...xploit_cve_2025_30406_centrestack_portal_child_process.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml b/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml index 0ccde96043f..c923e155acf 100644 --- a/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml @@ -3,13 +3,13 @@ id: 2d79e371-2a27-42de-87a4-b4213fc72a6a status: experimental description: | Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) -author: Jason Rathbun (Blackpoint Cyber) references: - https://nvd.nist.gov/vuln/detail/CVE-2025-30406 - https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/ - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/ -date: 2025-04-11 +author: Jason Rathbun (Blackpoint Cyber) +date: 2025-04-17 tags: - attack.execution - attack.t1059.003