InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Sigma rule (View on GitHub)
1title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
2id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
3status: test
4description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
5references:
6 - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
7 - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
8author: Florian Roth (Nextron Systems)
9date: 2021-11-22
10modified: 2022-12-25
11tags:
12 - attack.privilege-escalation
13 - attack.t1068
14 - detection.emerging-threats
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\msiexec.exe'
21 TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application'
22 TargetFilename|endswith: '\elevation_service.exe'
23 condition: selection
24falsepositives:
25 - Unknown
26 - Possibly some Microsoft Edge upgrades
27fields:
28 - ComputerName
29 - TargetFilename
30level: critical
References
Related rules
- Suspicious Sysmon as Execution Parent
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential SystemNightmare Exploitation Attempt
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Diamond Sleet APT Scheduled Task Creation