Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

Sublime rule (View on GitHub)

 1name: "Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability"
 2description: |
 3  Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.
 4
 5  On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.
 6
 7  According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."  
 8references:
 9  - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444"
10  - "https://twitter.com/buffaloverflow/status/1436261107329642522"
11  - "https://twitter.com/jroosen/status/1435792491899494402"
12  - "https://twitter.com/decalage2/status/1436433067619622916"
13  - "https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/"
14  - "https://twitter.com/aaaddress1/status/1436393045939814400"
15type: "rule"
16severity: "critical"
17source: |
18  type.inbound
19  and any(attachments,
20          (
21            (
22              .file_extension in~ $file_extensions_macros 
23              or .file_extension =~ "rtf"
24              or (
25                .file_extension is null
26                and .file_type == "unknown"
27                and .content_type == "application/octet-stream"
28                and .size < 100000000
29              )
30            )
31            and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
32          )
33          or (
34            .file_extension in~ $file_extensions_common_archives
35            and any(file.explode(.),
36                    .flavors.mime == "text/xml"
37                    and any(.scan.strings.strings, regex.icontains(., ".*oleObject.*mhtml.*http.*"))
38            )
39          )
40  )  
41tags:
42  - "CVE-2021-40444"
43attack_types:
44  - "Malware/Ransomware"
45tactics_and_techniques:
46  - "Exploit"
47  - "Macros"
48  - "Scripting"
49detection_methods:
50  - "Archive analysis"
51  - "Content analysis"
52  - "File analysis"
53  - "Macro analysis"
54  - "OLE analysis"
55id: "8cefcf7f-2a48-5102-9b09-8db995759223"
to-top