Potential Exploitation Attempt From Office Application

Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)

Sigma rule (View on GitHub)

 1title: Potential Exploitation Attempt From Office Application
 2id: 868955d9-697e-45d4-a3da-360cefd7c216
 3status: test
 4description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
 5references:
 6    - https://twitter.com/sbousseaden/status/1531653369546301440
 7    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
 8    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
 9author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
10date: 2022-06-02
11modified: 2023-02-04
12tags:
13    - attack.execution
14    - attack.defense-evasion
15    - cve.2021-40444
16    - detection.emerging-threats
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection:
22        ParentImage|endswith:
23            - '\winword.exe'
24            - '\excel.exe'
25            - '\powerpnt.exe'
26            - '\msaccess.exe'
27            - '\mspub.exe'
28            - '\eqnedt32.exe'
29            - '\visio.exe'
30        CommandLine|contains:
31            - '../../../..'
32            - '..\..\..\..'
33            - '..//..//..//..'
34    condition: selection
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top