Date: 09/30/2024
Severity: Medium
Summary
Identifies a possible exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. According to Morphisec, during the attack, threat actors utilized PowerShell commands that ran as child processes of the legitimate Tomcat "prunsrv.exe" application.
Indicators of Compromise (IOC) List
Image | '\powershell.exe' '\cmd.exe' |
ParentImage | '\prunsrv.exe' |
CommandLine | '/c powershell' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\powershell.exe","\cmd.exe")) AND parentimage = "\prunsrv.exe" AND commandline = "/c powershell") |
Detection Query 2 | (((technologygroup = "EDR") AND image IN ("\powershell.exe","\cmd.exe")) AND parentimage = "\prunsrv.exe" AND commandline = "/c powershell") |
Detection Query 3 | (((resourcename in ("Windows Security" ) AND eventtype = "4688") AND image IN ("\powershell.exe","\cmd.exe")) AND parentimage = "\prunsrv.exe" AND commandline = "/c powershell") |
Detection Query 4 | (((technologygroup = "EDR") AND image IN ("\powershell.exe","\cmd.exe")) AND parentimage = "\prunsrv.exe" AND commandline = "/c powershell") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml