github-actions[bot]
commented
2 weeks ago Welcome @DFIR-jwedd :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
nasbench
The current sigma rule "MSSQL XPCmdshell Option Change" could be improved to detect instances of xp_cmdshell option changes associated with other MSSQL event log provider names, such as ones involving Veeam or FortiEMS, as well as others. The improvement would involve simply modifying the "Provider_Name" to contains "MSSQL" rather than only specifically the "MSSQLSEVER" value.
Proposed change: Provider_Name|contains: 'MSSQL'
Detecting Exploitation of the following vulnerabilities in relation to xp_cmdshell option change: FortiEMS SQL Injection Vulnerability - CVE-2023-48788 Veeam Backup & Replication SQL Injection Vulnerability - CVE-2023-27532
Example Event Provider Names: Veeam - MSSQL$VEEAMSQL FortiEMS - MSSQL$FCEMS
Through making this change and testing on my end, I have been able to confirm exploitation of both the above vulnerabilities along with other instances where xp_cmdshell option was changed.
Could also create specific rules detecting potential exploitation of the above vulnerabilities following a similar method with the "Provider_Name" values listed above, if that would provide additional context as well.
Example Event Log for FortiEMS xp_cmdshell: