id: msmq-detect

info:
  name: MSMQ (Microsoft Message Queuing Service) Remote - Detect
  author: bhutch
  severity: info
  description: Detects remote MSMQ services. Public exposure of this service may be a misconfiguration.
  reference:
    - https://www.shadowserver.org/what-we-do/network-reporting/accessible-msmq-service-report/
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/f9bbe350-d70b-4e90-b9c7-d39328653166
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/50da7ea1-eed7-41f9-ba6a-2aa37f5f1e92
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554
  metadata:
    verified: true
    max-request: 1
    shodan-query: MSMQ
    censys-query: services.service_name:MSMQ
  tags: network,msmq,detect,detection,tcp
tcp:
  - inputs:
      - data: 10c00b004c494f523c020000ffffffff00000200d1587355509195954997b6e611ea26c60789cd434c39118f44459078909ea0fc4ecade1d100300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
        type: hex

    host:
      - "{{Hostname}}"
    port: 1801
    read-size: 2048

    matchers:
      - type: word
        encoding: hex
        words:
          - "105a0b004c494f523c020000ffffffff"
# digest: 4a0a0047304502203fc66a166d2e8a433e525c6c29298afaabcc8de986a6ef483ea4b655c683d67a022100ad4f3844173f351244d9d5510527e7bc4b73c5a30bfe19b61ba511a181c58702:922c64590222798bb761d5b6d8e72950