Detection and Response for CVE-2021-40444

devonkerr · September 9, 2021, 4:01pm

Detection and Response for CVE-2021-40444

Executive summary

Elastic Security Intelligence & Analytics has identified additional behaviors related to or inspired by the disclosure of CVE-2021-40444, a remote code execution (RCE) vulnerability in MSHTML. This post provides an overview of detection capabilities related to this vulnerability. At this time we offer no information about the groups or individuals responsible.

Details

On September 7, 2021, Elastic Security identified evidence that MSHTML vulnerabilities published by Microsoft as CVE-2021-40444 and targeting MSHTML were being exploited as observed in telemetry. As we have continued to monitor telemetry for evidence of exploitation attempts and successes, we wanted to share information and resources with the community around this cluster of emerging threat activity.

MSHTML is supported by multiple components of the Microsoft ecosystem, including browsers and other Internet-capable applications. For this reason, readers should be aware that affected attack surfaces may be significant.

In several customer environments, a weaponized document containing exploit code was delivered to users. Upon opening the document, a remote OLE object in the form of a CAB archive file was retrieved from an Internet-accessible location. In at least one environment, this execution chain resulted in the deployment of a COBALTSTRIKE payload, a well-known commercial offensive security tool used both legitimately and maliciously.

Detection

Detection logic

On September 9, 2021, Elastic released guidance describing Elastic Endpoint rules that target this exploitation activity described in the public repository:

A version of the Suspicious MS Office Child Process rule for Elastic Endgame users may be useful for detecting evidence of successful exploitation.

References

Indicators of Compromise

Table 1 described atomic indicators of compromise (IOCs) observed in this intrusion-set. IOCs observed by Elastic have been included for the community, and don't represent all IOCs associated with these or other intrusions.

Artifact	Note	SHA256
A letter before court 4.docx	OOXML Microsoft Office Document	938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
ministry.cab	CAB archive	1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
championship.inf	COBALTSTRIKE Win32 DLL	6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

probson · September 14, 2021, 9:46am

I thought that after 7.13.0 we did not need to update elastic to receive new rules, i am on 7.14.0 and updated all rules yet cannot see

github.com

elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml

[metadata]
creation_date = "2021/09/08"
maturity = "production"
updated_date = "2021/09/08"

[rule]
author = ["Elastic"]
description = """
Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
Adversaries may abuse Control.exe to proxy execution of malicious code.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Control Panel Process with Unusual Arguments"
references = ["https://www.joesandbox.com/analysis/476188/1/html"]
risk_score = 73
rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
severity = "high"

This file has been truncated. show original

name = "Control Panel Process with Unusual Arguments"

system · October 12, 2021, 9:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.