MSDT "Follina" Detections

Hello!

Just wanted to share some LEQL queries that could potentially detect activity related to the recent MSDT “Follina” 0-day vulnerability reported over the weekend. Here’s a nice writeup on Follina: Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack

You can also find Microsoft’s MSRC notice about it here.

There are three queries below, all based on process start logs, requiring command line logging (and possibly enhanced endpoint telemetry, although I think you could get away without it). I’ve also included a combined query that includes all three. I’ve adapted these from public Sigma rules (linked) and converted to LEQL using the InsightIDR Sigma backend.

1. This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
   Source: sigma/proc_creation_win_lolbins_by_office_applications.yml at master · SigmaHQ/sigma · GitHub
   where(process.name IIN ["regsvr32.exe", "rundll32.exe", "msiexec.exe", "mshta.exe", "verclsid.exe", "msdt.exe"] AND parent_process.name IIN ["winword.exe", "excel.exe", "powerpnt.exe"])
2. Detects word documents leveraging the “ms-msdt” handler or the “msdt.exe” binary to execute arbitrary commands.
   Source: sigma/proc_creation_win_msdt.yml at master · SigmaHQ/sigma · GitHub
   where(parent_process.name = NOCASE("winword.exe") AND process.name = NOCASE("msdt.exe") OR (process.name = NOCASE("msdt.exe") OR process.exe_file.orig_filename = NOCASE("msdt.exe")) AND process.cmd_line ICONTAINS "IT_BrowseForFile=")
3. This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
   Source: suspicious_msdt_execution.yml · GitHub
   where(process.name = NOCASE("msdt.exe") AND (process.cmd_line ICONTAINS "invoke" OR process.cmd_line ICONTAINS "PCWDiagnostic" AND (process.cmd_line ICONTAINS-ANY ["ms-msdt:-id", "ms-msdt:/id"])))
4. All three combined:
   where((process.name IIN ["regsvr32.exe", "rundll32.exe", "msiexec.exe", "mshta.exe", "verclsid.exe", "msdt.exe"] AND parent_process.name IIN ["winword.exe", "excel.exe", "powerpnt.exe"]) OR (parent_process.name = NOCASE("winword.exe") AND process.name = NOCASE("msdt.exe") OR (process.name = NOCASE("msdt.exe") OR process.exe_file.orig_filename = NOCASE("msdt.exe")) AND process.cmd_line ICONTAINS "IT_BrowseForFile=") OR (process.name = NOCASE("msdt.exe") AND (process.cmd_line ICONTAINS "invoke" OR process.cmd_line ICONTAINS "PCWDiagnostic" AND (process.cmd_line ICONTAINS-ANY ["ms-msdt:-id", "ms-msdt:/id"]))))

Hope this helps! Happy analyzing.

Micah

Also, I neglected to check earlier but it looks like there is a built-in detection rule for this already! Hats off to the R7 team for being on top of it over the weekend.

This is very useful for anyone who may have been under pressure to answer questions about what IDR can do before detections are out. Thank you @mbabinski, and kudos to the detection teams who got the built-in rule deployed quickly.

Also, very cool trick which I had no idea was a thing but will be revisiting as soon as I have time and/or there’s another hot topic vulnerability doing the rounds:

I’ve adapted these from public Sigma rules (linked) and converted to LEQL using the InsightIDR Sigma backend

Thank you for sharing these @mbabinski and also again for your work on the Sigma converter. Our hats are off to you and we will endeavour to make this experience simpler for yourself and others to share and enable rules over the upcoming months

Hi, sorry for the nob question but how do i use this query on IDR log search?

Thanks

Should be possible to copy/paste the queries above straight into the InsightIDR Log Search query dialog, @lnguyen. I re-tested the third one just now. You’ll need to select Endpoint Activity > Process Start Events as the Event Source Type, then run the query.

thanks for your reply. But i didnt see “Endpoint Activity” from my IDR portal. maybe it missing due to advance licensing? i will check with support.

thanks again