Emerging Threathightest
Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Christian Burkard (Nextron Systems), @sbousseadenCreated Thu Jun 02Updated Sat Feb 04868955d9-697e-45d4-a3da-360cefd7c2162021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
CommandLine|contains:
- '../../../..'
- '..\..\..\..'
- '..//..//..//..'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Other
cve.2021-40444detection.emerging-threats
Rule Metadata
Rule ID
868955d9-697e-45d4-a3da-360cefd7c216
Status
test
Level
high
Type
Emerging Threat
Created
Thu Jun 02
Modified
Sat Feb 04
Path
rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml
Raw Tags
attack.executionattack.defense-evasioncve.2021-40444detection.emerging-threats