Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
Sigma rule (View on GitHub)
1title: Potential Exploitation Attempt From Office Application
2id: 868955d9-697e-45d4-a3da-360cefd7c216
3status: test
4description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
5references:
6 - https://twitter.com/sbousseaden/status/1531653369546301440
7 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
8 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
9author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
10date: 2022/06/02
11modified: 2023/02/04
12tags:
13 - attack.execution
14 - attack.defense_evasion
15 - cve.2021.40444
16 - detection.emerging_threats
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 ParentImage|endswith:
23 - '\winword.exe'
24 - '\excel.exe'
25 - '\powerpnt.exe'
26 - '\msaccess.exe'
27 - '\mspub.exe'
28 - '\eqnedt32.exe'
29 - '\visio.exe'
30 CommandLine|contains:
31 - '../../../..'
32 - '..\..\..\..'
33 - '..//..//..//..'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- Potential Baby Shark Malware Activity
- Sofacy Trojan Loader Activity
- Potential Bumblebee Remote Thread Creation
- Potential BlackByte Ransomware Activity
- Fireball Archer Install