You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Source: Fabian Bader @fabian_bader I made some tweaks to Fabians original queries to utilise slightly different fields.
Identify hosts with the service and listening port:
MDE
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == "1801"
| where InitiatingProcessVersionInfoOriginalFileName has "MQSVC"
| summarize by DeviceName
Sentinel
DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| where ActionType == "ListeningConnectionCreated"
| where LocalPort == "1801"
| where InitiatingProcessVersionInfoOriginalFileName has "MQSVC"
| summarize by DeviceName
Look for possible exploitation of CVE-2023-21554
//possible exploitation of CVE-2023-21554
//if successful look for a a follow-up outbound connection to the same external IP or to a possible secondary C2 connection. This would likely result in a child process being spawned from mqsvc.exe that should also be investigated. On the external facing infra this will likely materialise in a webshell or similar.
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "mqsvc.exe" and LocalPort == 1801 and ActionType == 'InboundConnectionAccepted'
Look for child processes spawned by mqsvc.exe
DeviceProcessEvents
| where ( InitiatingProcessFileName has "mqsvc.exe" and isnotempty(FileName) ) or (InitiatingProcessParentFileName has "mqsvc.exe" and isnotempty(InitiatingProcessFileName) )