Potential CVE-2021-40444 Exploitation Attempt

 1title: Potential CVE-2021-40444 Exploitation Attempt
 2id: 894397c6-da03-425c-a589-3d09e7d1f750
 3status: test
 4description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
 7    - https://twitter.com/neonprimetime/status/1435584010202255375
 8    - https://www.joesandbox.com/analysis/476188/1/iochtml
 9author: Florian Roth (Nextron Systems), @neonprimetime
10date: 2021/09/08
11modified: 2023/02/04
12tags:
13    - attack.execution
14    - attack.t1059
15    - cve.2021.40444
16    - detection.emerging_threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\control.exe'
23        ParentImage|endswith:
24            - '\winword.exe'
25            - '\powerpnt.exe'
26            - '\excel.exe'
27    filter:
28        CommandLine|endswith:
29            - '\control.exe input.dll'
30            - '\control.exe" input.dll'
31    condition: selection and not filter
32falsepositives:
33    - Unknown
34level: high

References

• Security Update Guide - Microsoft Security Response Center

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Automated Malware Analysis IOC Report for - Generated by Joe Sandbox

  

  Automated Malware Analysis - Joe Sandbox IOC Report

  
  Read More

Related rules

• Lazarus Group Activity
• Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
• REvil Kaseya Incident Malware Patterns
• Blue Mockingbird
• CVE-2021-1675 Print Spooler Exploitation