Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Sigma rule (View on GitHub)
1title: Potential CVE-2021-41379 Exploitation Attempt
2id: af8bbce4-f751-46b4-8d91-82a33a736f61
3status: test
4description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
5references:
6 - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
7 - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
8 - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
9 - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
10author: Florian Roth (Nextron Systems)
11date: 2021-11-22
12modified: 2024-12-01
13tags:
14 - attack.privilege-escalation
15 - attack.t1068
16 - cve.2021-41379
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\cmd.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - OriginalFileName:
28 - 'Cmd.Exe'
29 - 'PowerShell.EXE'
30 - 'pwsh.dll'
31 selection_parent:
32 ParentImage|endswith: '\elevation_service.exe'
33 IntegrityLevel:
34 - 'System'
35 - 'S-1-16-16384' # System
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: critical
References
Related rules
- Exploiting CVE-2019-1388
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Suspicious Sysmon as Execution Parent
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential SystemNightmare Exploitation Attempt