LPE InstallerFileTakeOver PoC CVE-2021-41379

calendarApr 14, 2023 · attack.initial_access attack.t1190  ·
Share on: linkedincopy

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Sigma rule (View on GitHub)

 1title: LPE InstallerFileTakeOver PoC CVE-2021-41379
 2id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
 3status: experimental
 4description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
 5references:
 6    - https://github.com/klinix5/InstallerFileTakeOver
 7author: Florian Roth (Nextron Systems)
 8date: 2021/11/22
 9modified: 2022/07/12
10tags:
11    - attack.initial_access
12    - attack.t1190
13logsource:
14    product: windows
15    service: application
16    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18    selection:
19        EventID: 1033
20        Provider_Name: 'MsiInstaller'
21        Data|contains: 'test pkg'
22    condition: selection
23falsepositives:
24    - Other MSI packages for which your admins have used that name
25level: high

Related rules

to-top