← Back to SOC feed Coverage →

Suspicious Serv-U Process Pattern

sigma HIGH SigmaHQ
T1555
imProcessCreate
exploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-19T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Detection Rule

Sigma (Original)

title: Suspicious Serv-U Process Pattern
id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
status: test
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
references:
    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-07-14
tags:
    - attack.credential-access
    - attack.t1555
    - cve.2021-35211
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Serv-U.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\sh.exe'
            - '\bash.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\forfiles.exe'
            - '\scriptrunner.exe'
    condition: selection
falsepositives:
    - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\Serv-U.exe" or ActingProcessName endswith "\\Serv-U.exe") and (TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\msiexec.exe" or TargetProcessName endswith "\\forfiles.exe" or TargetProcessName endswith "\\scriptrunner.exe")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml