-
Notifications
You must be signed in to change notification settings - Fork 332
/
mshtml_module_load_in_office_product.yml
70 lines (70 loc) · 3.01 KB
/
mshtml_module_load_in_office_product.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: MSHTML Module Load in Office Product
id: 5f1c168e-118b-11ec-84ff-acde48001122
version: 3
date: '2024-03-14'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
description: This detection identifies the loading of the mshtml.dll module into
an Office product. This behavior is associated with CVE-2021-40444, where a
malicious document loads ActiveX, thereby activating the MSHTML component. The
vulnerability is found within the MSHTML component itself. During triage, it is important to identify concurrent
processes and document any file modifications for further analysis.
data_source:
- Sysmon EventID 7
search: '`sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll")
| stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `mshtml_module_load_in_office_product_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process names and image loads from your endpoints. If you are using
Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll.
references:
- https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://strontic.github.io/xcyclopedia/index-dll
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/
tags:
analytic_story:
- Spearphishing Attachments
- Microsoft MSHTML Remote Code Execution CVE-2021-40444
- CVE-2023-36884 Office and Windows HTML RCE Vulnerability
asset_type: Endpoint
confidence: 100
cve:
- CVE-2021-40444
impact: 80
message: An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.
mitre_attack_id:
- T1566
- T1566.001
observable:
- name: dest
type: Hostname
role:
- Victim
- name: process_name
type: Process
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ImageLoaded
- process_name
- OriginalFileName
- process_id
- dest
risk_score: 80
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog