Hello!
Just wanted to share some LEQL queries that could potentially detect activity related to the recent MSDT “Follina” 0-day vulnerability reported over the weekend. Here’s a nice writeup on Follina: Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack
You can also find Microsoft’s MSRC notice about it here.
There are three queries below, all based on process start logs, requiring command line logging (and possibly enhanced endpoint telemetry, although I think you could get away without it). I’ve also included a combined query that includes all three. I’ve adapted these from public Sigma rules (linked) and converted to LEQL using the InsightIDR Sigma backend.
- This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
Source: sigma/proc_creation_win_lolbins_by_office_applications.yml at master · SigmaHQ/sigma · GitHub
where(process.name IIN ["regsvr32.exe", "rundll32.exe", "msiexec.exe", "mshta.exe", "verclsid.exe", "msdt.exe"] AND parent_process.name IIN ["winword.exe", "excel.exe", "powerpnt.exe"])
- Detects word documents leveraging the “ms-msdt” handler or the “msdt.exe” binary to execute arbitrary commands.
Source: sigma/proc_creation_win_msdt.yml at master · SigmaHQ/sigma · GitHub
where(parent_process.name = NOCASE("winword.exe") AND process.name = NOCASE("msdt.exe") OR (process.name = NOCASE("msdt.exe") OR process.exe_file.orig_filename = NOCASE("msdt.exe")) AND process.cmd_line ICONTAINS "IT_BrowseForFile=")
- This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
Source: suspicious_msdt_execution.yml · GitHub
where(process.name = NOCASE("msdt.exe") AND (process.cmd_line ICONTAINS "invoke" OR process.cmd_line ICONTAINS "PCWDiagnostic" AND (process.cmd_line ICONTAINS-ANY ["ms-msdt:-id", "ms-msdt:/id"])))
- All three combined:
where((process.name IIN ["regsvr32.exe", "rundll32.exe", "msiexec.exe", "mshta.exe", "verclsid.exe", "msdt.exe"] AND parent_process.name IIN ["winword.exe", "excel.exe", "powerpnt.exe"]) OR (parent_process.name = NOCASE("winword.exe") AND process.name = NOCASE("msdt.exe") OR (process.name = NOCASE("msdt.exe") OR process.exe_file.orig_filename = NOCASE("msdt.exe")) AND process.cmd_line ICONTAINS "IT_BrowseForFile=") OR (process.name = NOCASE("msdt.exe") AND (process.cmd_line ICONTAINS "invoke" OR process.cmd_line ICONTAINS "PCWDiagnostic" AND (process.cmd_line ICONTAINS-ANY ["ms-msdt:-id", "ms-msdt:/id"]))))
Hope this helps! Happy analyzing.
Micah