Potential CVE-2021-41379 Exploitation Attempt

 1title: Potential CVE-2021-41379 Exploitation Attempt
 2id: af8bbce4-f751-46b4-8d91-82a33a736f61
 3status: test
 4description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
 5references:
 6    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
 7    - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
 8    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
 9    - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
10author: Florian Roth (Nextron Systems)
11date: 2021-11-22
12modified: 2023-02-13
13tags:
14    - attack.privilege-escalation
15    - attack.t1068
16    - cve.2021-41379
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\cmd.exe'
25              - '\powershell.exe'
26              - '\pwsh.exe'
27        - OriginalFileName:
28              - 'Cmd.Exe'
29              - 'PowerShell.EXE'
30              - 'pwsh.dll'
31    selection_parent:
32        ParentImage|endswith: '\elevation_service.exe'
33        IntegrityLevel: 'System'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: critical

References

• GitHub - klinix5/InstallerFileTakeOver

  

  Contribute to klinix5/InstallerFileTakeOver development by creating an account on GitHub.

  
  Read More

• New Windows zero-day with public exploit lets you become an admin

  

  A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.

  
  Read More

• ZDI-21-1308

  

  Microsoft Windows Installer Service Link Following Privilege Escalation Vulnerability

  
  Read More

• Detecting Privilege Escalation Zero Day (CVE-2021-41379)

  

  On November 22, 2021, Security researcher Abdelhamid Naceri dropped PoC for a privilege escalation vulnerability (CVE-2021-41379) in the Windows installer that Microsoft had patched in November's Patch Tuesday. The PoC works on all supported versions of Windows.

  
  Read More

Related rules

• Exploiting CVE-2019-1388
• Exploiting SetupComplete.cmd CVE-2019-1378
• Potential SystemNightmare Exploitation Attempt
• APT PRIVATELOG Image Load Pattern
• Audit CVE Event