LoFP / legitimate uses in which users or programs use the ssh service of serv-u for remote command execution

Techniques

t1555

Sample rules

Suspicious Serv-U Process Pattern

source: sigma
technicques:
- t1555

Description

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Detection logic

condition: selection
selection:
  Image|endswith:
  - \cmd.exe
  - \powershell.exe
  - \pwsh.exe
  - \wscript.exe
  - \cscript.exe
  - \sh.exe
  - \bash.exe
  - \schtasks.exe
  - \regsvr32.exe
  - \wmic.exe
  - \mshta.exe
  - \rundll32.exe
  - \msiexec.exe
  - \forfiles.exe
  - \scriptrunner.exe
  ParentImage|endswith: \Serv-U.exe