Potential CVE-2021-41379 Exploitation Attempt

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

Sigma rule (View on GitHub)

 1title: Potential CVE-2021-41379 Exploitation Attempt
 2id: af8bbce4-f751-46b4-8d91-82a33a736f61
 3status: test
 4description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
 5references:
 6    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
 7    - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
 8    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
 9    - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
10author: Florian Roth (Nextron Systems)
11date: 2021-11-22
12modified: 2024-12-01
13tags:
14    - attack.privilege-escalation
15    - attack.t1068
16    - cve.2021-41379
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\cmd.exe'
25              - '\powershell.exe'
26              - '\pwsh.exe'
27        - OriginalFileName:
28              - 'Cmd.Exe'
29              - 'PowerShell.EXE'
30              - 'pwsh.dll'
31    selection_parent:
32        ParentImage|endswith: '\elevation_service.exe'
33        IntegrityLevel:
34            - 'System'
35            - 'S-1-16-16384' # System
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: critical

References

Related rules

to-top