Emerging Threats
CVE2021
CVE-2021-41379
3Rules
4References
1Folders
2024-12-01Latest
Summary
CVE-2021-41379 is tracked here through 3 Sigma detections for exploitation attempts and related post-exploitation behavior observed in 2021. Coverage centers on windows / application, windows / file_event, windows / process_creation.
Related Detections
Search this threatEmerging Threatcriticaltest
Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
WindowsProcess Creation
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2021-41379detection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threatcriticaltest
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
WindowsFile Event
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationdetection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
Emerging Threathightest
LPE InstallerFileTakeOver PoC CVE-2021-41379
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
Windowsapplication
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationdetection.emerging-threats
Florian Roth (Nextron Systems)Mon Nov 222021
References