2023-04-19 15:34:10 +00:00
|
|
|
id: msmq-detect
|
|
|
|
|
|
|
|
info:
|
2023-04-19 20:58:15 +00:00
|
|
|
name: MSMQ (Microsoft Message Queuing Service) Remote - Detect
|
2023-04-19 15:34:10 +00:00
|
|
|
author: bhutch
|
|
|
|
severity: info
|
|
|
|
description: Detects remote MSMQ services. Public exposure of this service may be a misconfiguration.
|
|
|
|
reference:
|
|
|
|
- https://www.shadowserver.org/what-we-do/network-reporting/accessible-msmq-service-report/
|
|
|
|
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/f9bbe350-d70b-4e90-b9c7-d39328653166
|
|
|
|
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/50da7ea1-eed7-41f9-ba6a-2aa37f5f1e92
|
|
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554
|
2023-04-19 20:58:15 +00:00
|
|
|
metadata:
|
2023-04-28 08:11:21 +00:00
|
|
|
max-request: 2
|
2023-06-04 08:13:42 +00:00
|
|
|
verified: true
|
2023-04-19 20:58:15 +00:00
|
|
|
shodan-query: MSMQ
|
|
|
|
censys-query: services.service_name:MSMQ
|
|
|
|
tags: network,msmq,detect
|
2023-04-19 15:34:10 +00:00
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
tcp:
|
2023-04-19 15:34:10 +00:00
|
|
|
- inputs:
|
2023-04-19 17:47:04 +00:00
|
|
|
- data: 10c00b004c494f523c020000ffffffff00000200d1587355509195954997b6e611ea26c60789cd434c39118f44459078909ea0fc4ecade1d100300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
|
|
|
type: hex
|
2023-04-19 15:34:10 +00:00
|
|
|
|
|
|
|
host:
|
|
|
|
- "{{Hostname}}"
|
|
|
|
- "{{Host}}:1801"
|
2023-04-19 17:47:04 +00:00
|
|
|
|
2023-04-19 15:34:10 +00:00
|
|
|
read-size: 2048
|
2023-04-19 17:47:04 +00:00
|
|
|
|
2023-04-19 15:34:10 +00:00
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
encoding: hex
|
|
|
|
words:
|
|
|
|
- "105a0b004c494f523c020000ffffffff"
|