Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Suspicious Word Cab File Write CVE-2021-40444

Detects file creation patterns noticeable during the exploitation of CVE-2021-40444

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Sittikorn SCreated Fri Sep 10Updated Thu Jun 2260c0a111-787a-4e8a-9262-ee485f3ef9d52021
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection_cab:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\Windows\INetCache'
        TargetFilename|endswith: '.cab'
    selection_inf:
        Image|endswith: '\winword.exe'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.inf'
    filter_main_legit:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: 'AppData\Local\Temp'
        TargetFilename|endswith: '\Content.inf'
    condition: 1 of selection_* and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
twitter.com
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
60c0a111-787a-4e8a-9262-ee485f3ef9d5
Status
test
Level
high
Type
Emerging Threat
Created
Fri Sep 10
Modified
Thu Jun 22
Author
Florian Roth (Nextron Systems), Sittikorn S
Path
rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml
Raw Tags
attack.resource-developmentattack.t1587detection.emerging-threats
View on GitHub