MSDT "Follina" Detections

Hello!

Just wanted to share some LEQL queries that could potentially detect activity related to the recent MSDT “Follina” 0-day vulnerability reported over the weekend. Here’s a nice writeup on Follina: Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack

You can also find Microsoft’s MSRC notice about it here.

There are three queries below, all based on process start logs, requiring command line logging (and possibly enhanced endpoint telemetry, although I think you could get away without it). I’ve also included a combined query that includes all three. I’ve adapted these from public Sigma rules (linked) and converted to LEQL using the InsightIDR Sigma backend.

  1. This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
    Source: sigma/proc_creation_win_lolbins_by_office_applications.yml at master · SigmaHQ/sigma · GitHub
    where(process.name IIN ["regsvr32.exe", "rundll32.exe", "msiexec.exe", "mshta.exe", "verclsid.exe", "msdt.exe"] AND parent_process.name IIN ["winword.exe", "excel.exe", "powerpnt.exe"])
  2. Detects word documents leveraging the “ms-msdt” handler or the “msdt.exe” binary to execute arbitrary commands.
    Source: sigma/proc_creation_win_msdt.yml at master · SigmaHQ/sigma · GitHub
    where(parent_process.name = NOCASE("winword.exe") AND process.name = NOCASE("msdt.exe") OR (process.name = NOCASE("msdt.exe") OR process.exe_file.orig_filename = NOCASE("msdt.exe")) AND process.cmd_line ICONTAINS "IT_BrowseForFile=")
  3. This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
    Source: suspicious_msdt_execution.yml · GitHub
    where(process.name = NOCASE("msdt.exe") AND (process.cmd_line ICONTAINS "invoke" OR process.cmd_line ICONTAINS "PCWDiagnostic" AND (process.cmd_line ICONTAINS-ANY ["ms-msdt:-id", "ms-msdt:/id"])))
  4. All three combined:
    where((process.name IIN ["regsvr32.exe", "rundll32.exe", "msiexec.exe", "mshta.exe", "verclsid.exe", "msdt.exe"] AND parent_process.name IIN ["winword.exe", "excel.exe", "powerpnt.exe"]) OR (parent_process.name = NOCASE("winword.exe") AND process.name = NOCASE("msdt.exe") OR (process.name = NOCASE("msdt.exe") OR process.exe_file.orig_filename = NOCASE("msdt.exe")) AND process.cmd_line ICONTAINS "IT_BrowseForFile=") OR (process.name = NOCASE("msdt.exe") AND (process.cmd_line ICONTAINS "invoke" OR process.cmd_line ICONTAINS "PCWDiagnostic" AND (process.cmd_line ICONTAINS-ANY ["ms-msdt:-id", "ms-msdt:/id"]))))

Hope this helps! Happy analyzing. :face_with_monocle:

Micah

7 Likes

Also, I neglected to check earlier but it looks like there is a built-in detection rule for this already! Hats off to the R7 team for being on top of it over the weekend. :pray:

4 Likes

This is very useful for anyone who may have been under pressure to answer questions about what IDR can do before detections are out. Thank you @mbabinski, and kudos to the detection teams who got the built-in rule deployed quickly.
image

Also, very cool trick which I had no idea was a thing but will be revisiting as soon as I have time and/or there’s another hot topic vulnerability doing the rounds:

I’ve adapted these from public Sigma rules (linked) and converted to LEQL using the InsightIDR Sigma backend

3 Likes

Thank you for sharing these @mbabinski and also again for your work on the Sigma converter. Our hats are off to you and we will endeavour to make this experience simpler for yourself and others to share and enable rules over the upcoming months :+1:

2 Likes