-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc
2 lines (2 loc) · 1.47 KB
/
BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc
1
2
63733c8293b370d49d6675aed6d602b9
[{"rule_id":407,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1723541089258,"modify_time":1723541205625,"severity":"SEV_040_HIGH","source":"frank.bussink@swissexpertgroup.com","comment":"BIOC to detect HydraLsPipe RPC calls Terminal Server Licensing\nProne to False Positive, but rarely used","status":"ENABLED","category":"EXECUTION","indicator":null,"indicator_md5":"8a6fb9e9d2bd77ab1c78a2f4a78d9a68","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{3d267954-eeb7-11d1-b94e-00c04fa3080d}\" ","name":"BIOC-MadLicensing","mitre_technique_id_and_name":"T1021 - Remote Services","mitre_tactic_id_and_name":"TA0002 - Execution","mitre_tactic_id":"TA0002","mitre_technique_id":"T1021","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"stages\":[{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$EVENT_TYPE\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"$RPC_CALL\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}},{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$event_rpc_interface_uuid\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"{3d267954-eeb7-11d1-b94e-00c04fa3080d}\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}}],\"original_query\":null,\"tables\":[\"xdr_data\"]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1723541089258,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}]