Date: 04/22/2025
Severity: Medium
Summary
Identifies unusual child processes initiated by the CrushFTP service, potentially signaling exploitation of remote code execution flaws like CVE-2025-31161, which allows RCE via crafted HTTP requests. The detection targets frequently misused Windows executables (e.g., powershell.exe, cmd.exe) often leveraged by attackers for executing malicious commands after gaining access.
Indicators of Compromise (IOC) List
ParentImage : | '\crushftpservice.exe' |
Image : | - '\bash.exe' - '\cmd.exe' - '\cscript.exe' - '\mshta.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' - '\sh.exe' - '\wscript.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND processname In ("bash.exe","cmd.exe","cscript.exe","mshta.exe","powershell.exe","powershell_ise.exe","pwsh.exe","sh.exe","wscript.exe" ) AND parentprocessname like "crushftpservice.exe" |
Detection Query : | (technologygroup = "EDR" ) AND processname In ("bash.exe","cmd.exe","cscript.exe","mshta.exe","powershell.exe","powershell_ise.exe","pwsh.exe","sh.exe","wscript.exe" ) AND parentprocessname like "crushftpservice.exe" |
Detection Query : | (resourcename = "Sysmon" AND eventtype = "1" ) AND image IN ("bash.exe","cmd.exe","cscript.exe","mshta.exe","powershell.exe","powershell_ise.exe","pwsh.exe","sh.exe","wscript.exe" ) AND parentimage like "crushftpservice.exe" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-31161/proc_creation_win_crushftp_susp_child_processes.yml