Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
Sigma rule (View on GitHub)
1title: Potential Exploitation Attempt From Office Application
2id: 868955d9-697e-45d4-a3da-360cefd7c216
3status: test
4description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
5references:
6 - https://twitter.com/sbousseaden/status/1531653369546301440
7 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
8 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
9author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
10date: 2022-06-02
11modified: 2023-02-04
12tags:
13 - attack.execution
14 - attack.defense-evasion
15 - cve.2021-40444
16 - detection.emerging-threats
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 ParentImage|endswith:
23 - '\winword.exe'
24 - '\excel.exe'
25 - '\powerpnt.exe'
26 - '\msaccess.exe'
27 - '\mspub.exe'
28 - '\eqnedt32.exe'
29 - '\visio.exe'
30 CommandLine|contains:
31 - '../../../..'
32 - '..\..\..\..'
33 - '..//..//..//..'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Fireball Archer Install
- Goofy Guineapig Backdoor IOC
- Greenbug Espionage Group Indicators
- Operation Wocao Activity