diff --git a/network/detection/msmq-detect.yaml b/network/detection/msmq-detect.yaml new file mode 100644 index 0000000000..b5871353d8 --- /dev/null +++ b/network/detection/msmq-detect.yaml @@ -0,0 +1,30 @@ +id: msmq-detect + +info: + name: MSMQ (Microsoft Message Queuing Service) Remote Detection + author: bhutch + severity: info + description: Detects remote MSMQ services. Public exposure of this service may be a misconfiguration. + metadata: + censys-query: services.service_name:MSMQ + reference: + - https://www.shadowserver.org/what-we-do/network-reporting/accessible-msmq-service-report/ + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/f9bbe350-d70b-4e90-b9c7-d39328653166 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/50da7ea1-eed7-41f9-ba6a-2aa37f5f1e92 + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554 + tags: network,msmq + +network: + - inputs: + - data: 10c00b004c494f523c020000ffffffff00000200d1587355509195954997b6e611ea26c60789cd434c39118f44459078909ea0fc4ecade1d100300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + type: hex + + host: + - "{{Hostname}}" + - "{{Host}}:1801" + read-size: 2048 + matchers: + - type: word + encoding: hex + words: + - "105a0b004c494f523c020000ffffffff"