Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create proc_creation_win_veeam_cve_2024_29212.yml #4848

Closed
wants to merge 2 commits into from
Closed

Create proc_creation_win_veeam_cve_2024_29212.yml #4848

wants to merge 2 commits into from

Conversation

prashanthpulisetti
Copy link
Contributor

Detection of Veeam Service Provider Console Vulnerability (CVE-2024-29212)

References:
https://www.veeam.com/kb4575
https://www.helpnetsecurity.com/2024/05/08/cve-2024-29212/

Raw Logs:

ProcessGuid: {427dadb5-ee46-663c-7b04-asgasdgsdgswg}
ProcessId: 23423
Image: C:\Program Files\Veeam\Availability Console\CommunicationAgent\Veeam.MBP.AgentConfigurator.exe
FileVersion: 6.0.0.7739
Description: Veeam.MBP.AgentConfigurator
Product: Veeam Service Provider Console
Company: Veeam Software Group GmbH
OriginalFileName: Veeam.MBP.AgentConfigurator.exe
CommandLine: "C:\Program Files\Veeam\Availability Console\CommunicationAgent\Veeam.MBP.AgentConfigurator.exe" 
CurrentDirectory: C:\WINDOWS\System32\
User:  ABC\googlezr
LogonGuid: {427dadb5-edbf-663c-5d5f-asgasdgsdgswg}
LogonId: 0x1797F5F5D
TerminalSessionId: 11
IntegrityLevel: Medium
Hashes: MD5=48BDCC4082DBB0B59364C4EF7CC03C4E,SHA256=024771CAB3B0F52E8AFC20564FBEDC64BEB54C64D60F708238984907117BBDEC,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744
ParentProcessGuid: {427dadb5-ee2c-663c-4f04-070000002100}
ParentProcessId: 2122
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\WINDOWS\Explorer.EXE
ParentUser: ABC\googlezr

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels May 10, 2024
@nasbench nasbench added the Work In Progress Some changes are needed label May 10, 2024
@nasbench
Copy link
Member

Unfortunately the rule in its current state doesn't work.

The fix for the vulnerability is in the builds 7.0.0.18899 and 8.0.0.19236 which start with 7.0 and 8.0 respectively so both the fixed and vulnerable versions of Veeam Service Provider Console will be triggering this.

Also for version 5 and 6. Both have reached end of fix (see this). And assuming a fix is provided for those with support, it'll also be released in a minor builds). So we can't use those as well.

And since version comparison is hard in most SIEMs (i.e you can't use the "lt" / "gt" modifiers here).

Detecting this via this method is not a super viable option. (Best leave this to other tooling in the env such as vuln or inventory management tools as an example).

Closing this PR for now. If you have another method feel free to open a PR

@nasbench nasbench closed this May 13, 2024
@nasbench nasbench removed Work In Progress Some changes are needed labels May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@prashanthpulisetti @nasbench