Kusto hunting query for CVE-2021-40444

Maldoc, Forensics 3 Minutes

Introduction

On September 7th 2021, Microsoft published customer guidance concerning CVE-2021-40444, an MSHTML Remote Code Execution Vulnerability:

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft

In practice, the attack basically involves a specially-crafted Microsoft Office document, which includes an ActiveX element, which activates the MSHTML component. The vulnerability as such resides in this MSHTML component.

Seeing there is reported exploitation in the wild (ITW), we decided to write a quick Kusto (KQL) rule that allows for hunting in Microsoft Defender ATP.

The query

let process = dynamic(["winword.exe","wordview.exe","wordpad.exe","powerpnt.exe","excel.exe"]);
DeviceImageLoadEvents
| where FileName in ("mshtml.dll", "Microsoft.mshtml.dll")
| where InitiatingProcessFileName in~ (process) 
//We only want actual files ran, not Office restore operations etc.
| where strlen(InitiatingProcessCommandLine) > 40
| project Timestamp, DeviceName, InitiatingProcessFolderPath, 
    InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, 
    InitiatingProcessCommandLine

In this query, the following is performed:

  • Add relevant Microsoft Office process names to an array;
  • Add both common filenames for MSHTML;
  • Get a string length larger than 40 characters: this is to weed out false positives, for example where the command line only contains the process in question and a parameter such as /restore or /safe;
  • Display the results.

Results

This was of course tested – a sample set of over 10,000 endpoints across several environments and spanning 7 days, delivered a total of 37 results. These results can be broken down as follows:

Figure 1 – Query Results

None of these processes are anomalous per se:

  • Explorer.exe: graphical user interface, the result of a user opening, for example, Microsoft Word from their Documents folder;
  • Protocolhandler.exe: handles URI schemes in Microsoft Office;
  • Outlook.exe: Microsoft’s email client;
  • Runtimebroker.exe: helps manage permissions from Microsoft Store apps (such as Microsoft Office).

While each of these processes warrant a closer look, you’ll be able to assess quicker if there’s anything anomalous going on by verifying what’s in the InitiatingProcessCommandLine column.

If it contains a remote web address, the file was likely opened from SharePoint or from another online location. If it does not contain a remote web address, the file is stored and opened locally.

Pay special attention to files opened locally or launched by Outlook as parent process: chances are likely this is the result from a phishing email. In case you suspect a true positive:

  • Verify with the user if they have knowledge of opening this file, and if it was from an email they were expecting;
  • If possible, grab a copy of the file and use the option to submit to Microsoft (or a private sandbox of your choice; if public sandbox, then know that what you upload is public to everyone) to further determine if it is malicious;
  • Perform a separate investigation on the user or their device to determine if there’s any other events that may be out of the ordinary.

Ultimately, you can leverage the following process:

  • Run the query for a first time, and for a limited time period (7 days as in our example) or limited set of hosts;
  • Investigate each to create a baseline, and separate the wheat from the chaff (or the true from false positive);
  • Finetune the Kusto query above to your environment;
  • Happy hunting!

Conclusion

A vulnerability actively exploited in the MSHTML component affects in theory all Microsoft Office products that make use of it.

Patch as soon as Microsoft has a patch available (potentially, an out-of-band patch will be created soon) and apply the Mitigations and Workaround as described by Microsoft:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Thanks to our colleagues Remco and Niels for performing unit tests.

Published by Bart Parys

Published

One thought on “Kusto hunting query for CVE-2021-40444

  1. Pingback: Kusto hunting query for CVE-2021-40444 – NVISO Labs – Library 9: Gladius Edition

Leave a Reply