detection.wiki

Detection rules › Sublime MQL

Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability

Severity
critical
Type
rule
Source
github.com/sublime-security/sublime-rules

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444. On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows. According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesMalware/Ransomware
Tactics and techniquesExploit, Macros, Scripting

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(attachments,
        (
          (
            .file_extension in~ $file_extensions_macros
            or .file_extension =~ "rtf"
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
          )
          and any(file.oletools(.).relationships,
                  regex.icontains(.target, ".*html:http.*")
          )
        )
        or (
          .file_extension in~ $file_extensions_common_archives
          and any(file.explode(.),
                  .flavors.mime == "text/xml"
                  and any(.scan.strings.strings,
                          regex.icontains(., ".*oleObject.*mhtml.*http.*")
                  )
          )
        )
)

Detection logic

Scope: inbound message.

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444. On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows. According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

  1. inbound message
  2. any of attachments where any holds:
    • all of:
      • any of:
        • .file_extension in $file_extensions_macros
        • .file_extension is 'rtf'
        • all of:
          • .file_extension is missing
          • .file_type is 'unknown'
          • .content_type is 'application/octet-stream'
          • .size < 100000000
      • any of file.oletools(.).relationships where:
        • .target matches '.*html:http.*'
    • all of:
      • .file_extension in $file_extensions_common_archives
      • any of file.explode(.) where all hold:
        • .flavors.mime is 'text/xml'
        • any of .scan.strings.strings where:
          • . matches '.*oleObject.*mhtml.*http.*'

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, attachments[].size, type.inbound. Sensors: file.explode, file.oletools, regex.icontains. Reference lists: $file_extensions_common_archives, $file_extensions_macros.

Indicators matched (6)

FieldMatchValue
attachments[].file_extensionequalsrtf
attachments[].file_typeequalsunknown
attachments[].content_typeequalsapplication/octet-stream
regex.icontainsregex.*html:http.*
file.explode(attachments[])[].flavors.mimeequalstext/xml
regex.icontainsregex.*oleObject.*mhtml.*http.*