InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

 1title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
 2id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
 3status: test
 4description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
 5references:
 6    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
 7    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
 8author: Florian Roth (Nextron Systems)
 9date: 2021-11-22
10modified: 2022-12-25
11tags:
12    - attack.privilege-escalation
13    - attack.t1068
14    - detection.emerging-threats
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\msiexec.exe'
21        TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application'
22        TargetFilename|endswith: '\elevation_service.exe'
23    condition: selection
24falsepositives:
25    - Unknown
26    - Possibly some Microsoft Edge upgrades
27fields:
28    - ComputerName
29    - TargetFilename
30level: critical

References

• GitHub - klinix5/InstallerFileTakeOver

  

  Contribute to klinix5/InstallerFileTakeOver development by creating an account on GitHub.

  
  Read More

• ZDI-21-1308

  

  Microsoft Windows Installer Service Link Following Privilege Escalation Vulnerability

  
  Read More

Related rules

• Suspicious Sysmon as Execution Parent
• Exploiting CVE-2019-1388
• Exploiting SetupComplete.cmd CVE-2019-1378
• Potential CVE-2021-41379 Exploitation Attempt
• Potential SystemNightmare Exploitation Attempt