Emerging Threatcriticaltest

InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Nov 22Updated Sun Dec 253be82d5d-09fe-4d6a-a275-0d40d234d3242021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\msiexec.exe'
        TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application'
        TargetFilename|endswith: '\elevation_service.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

Possibly some Microsoft Edge upgrades

References

Resolving title…

web.archive.org

Resolving title…

zerodayinitiative.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation

Techniques

T1068 · Exploitation for Privilege Escalation

Other

detection.emerging-threats

Rule Metadata

Rule ID

3be82d5d-09fe-4d6a-a275-0d40d234d324

Status

test

Level

critical

Type

Emerging Threat

Created

Mon Nov 22

Modified

Sun Dec 25

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml

Raw Tags

attack.privilege-escalationattack.t1068detection.emerging-threats

View on GitHub