Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
Sigma rule (View on GitHub)
1title: Suspicious Word Cab File Write CVE-2021-40444
2id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
3status: test
4description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
5references:
6 - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
7 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
8author: Florian Roth (Nextron Systems), Sittikorn S
9date: 2021/09/10
10modified: 2023/06/22
11tags:
12 - attack.resource_development
13 - attack.t1587
14 - detection.emerging_threats
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection_cab:
20 Image|endswith: '\winword.exe'
21 TargetFilename|contains: '\Windows\INetCache'
22 TargetFilename|endswith: '.cab'
23 selection_inf:
24 Image|endswith: '\winword.exe'
25 TargetFilename|contains|all:
26 - '\AppData\Local\Temp\'
27 - '.inf'
28 filter_main_legit:
29 TargetFilename|startswith: 'C:\Users\'
30 TargetFilename|contains: 'AppData\Local\Temp'
31 TargetFilename|endswith: '\Content.inf'
32 condition: 1 of selection_* and not 1 of filter_main_*
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- FoggyWeb Backdoor DLL Loading
- Linux HackTool Execution
- Formbook Process Creation
- Mustang Panda Dropper