Detection and Response for CVE-2021-40444

Detection and Response for CVE-2021-40444

Executive summary

Elastic Security Intelligence & Analytics has identified additional behaviors related to or inspired by the disclosure of CVE-2021-40444, a remote code execution (RCE) vulnerability in MSHTML. This post provides an overview of detection capabilities related to this vulnerability. At this time we offer no information about the groups or individuals responsible.

Details

On September 7, 2021, Elastic Security identified evidence that MSHTML vulnerabilities published by Microsoft as CVE-2021-40444 and targeting MSHTML were being exploited as observed in telemetry. As we have continued to monitor telemetry for evidence of exploitation attempts and successes, we wanted to share information and resources with the community around this cluster of emerging threat activity.

MSHTML is supported by multiple components of the Microsoft ecosystem, including browsers and other Internet-capable applications. For this reason, readers should be aware that affected attack surfaces may be significant.

In several customer environments, a weaponized document containing exploit code was delivered to users. Upon opening the document, a remote OLE object in the form of a CAB archive file was retrieved from an Internet-accessible location. In at least one environment, this execution chain resulted in the deployment of a COBALTSTRIKE payload, a well-known commercial offensive security tool used both legitimately and maliciously.

Detection

Detection logic

On September 9, 2021, Elastic released guidance describing Elastic Endpoint rules that target this exploitation activity described in the public repository:

A version of the Suspicious MS Office Child Process rule for Elastic Endgame users may be useful for detecting evidence of successful exploitation.

References

  1. Detection and Response for CVE-2021-40444

  2. Microsoft vulnerability disclosure

Indicators of Compromise

Table 1 described atomic indicators of compromise (IOCs) observed in this intrusion-set. IOCs observed by Elastic have been included for the community, and don't represent all IOCs associated with these or other intrusions.

Artifact Note SHA256
A letter before court 4.docx OOXML Microsoft Office Document 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
ministry.cab CAB archive 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
championship.inf COBALTSTRIKE Win32 DLL 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
4 Likes

I thought that after 7.13.0 we did not need to update elastic to receive new rules, i am on 7.14.0 and updated all rules yet cannot see

name = "Control Panel Process with Unusual Arguments"