CVE-2021-42292

This package will detect exploits of CVE-2021-42292, a Microsoft Excel local privilege escalation vulnerability, and generate a notice in notice.log for it.

https://corelight.com/blog/detecting-cve-2021-42292

Detection Method:

This package detects the vulnerability when the triggering Excel spreadsheet downloads a second spreadsheet. The second spreadsheet is executed with elevated privileges. We can detect Microsoft Excel downloading a Microsoft Excel file with this script. In our testing on some live networks we monitor, this combination was extremely rare and we have not seen any false positives so far.

Usage:

$ zeek -Cr excelsploit_1.pcap packages

$ cat notice.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2021-11-10-10-56-50
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions email_dest      suppress_for    remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]     interval        string  string  string  double  double
1636433584.277654       CeV1DA2EM1pRTfgWkc      127.0.0.1       51543   127.0.0.1       80      -       -       -       tcp     CVE_2021_42292::CVE_2021_42292  127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information  host='127.0.0.1', method='HEAD', user_agent='Microsoft Office Excel 2014', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls'      127.0.0.1       127.0.0.1       80      -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
1636433584.311236       CgKWSM1bhhl7K8B6n8      127.0.0.1       51545   127.0.0.1       80      -       -       -       tcp     CVE_2021_42292::CVE_2021_42292  127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information  host='127.0.0.1', method='GET', user_agent='Mozilla/4.0 (compatible; ms-office; MSOffice 16)', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls'  127.0.0.1       127.0.0.1       80      -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
#close  2021-11-10-10-56-50

Suricata rules are also provided that mirror the detection methodology of the Zeek package.

Links:

• Associated blog including walk through of code elements:
  • https://corelight.com/blog/detecting-cve-2021-42292
• MIME Types:
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
• Excel User Agents:
  • https://developers.whatismybrowser.com/useragents/explore/software_name/excel/