The most heated conversation during the week has been about the Advisory released by Microsoft on 7th September 2021 on the zero day vulnerability CVE-2021-40444 which affects MSHTML components of Internet Explorer on Windows 10 and many Windows Server versions as well.
On successful exploitation, TrendMicro has identified the installation of Cobalt Strike Beacon, which would allow the threat actor to gain remote access to the device. The end user’s machine would now be compromised and available to the attacker to breach information, run malwares or move laterally to gain access over other machines and compromise the network.
Microsoft has now released a patch for this vulnerability on 14th September, however, DNIF provides hunting content to detect any compromises by this vulnerability. DNIF is a HyperScale SIEM that can ingest, enrich, store and correlate cybersecurity data while bringing benefits of a SIEM, UEBA, and a SOAR into one single integrated product stack.
Hunting for compromises using DNIF
The exploitation of zero day vulnerability would create a process on the execution of malicious document spawning control.exe.
|SELECT * FROM SYSMON-PROCESS WHERE ($ParentImage LIKE “%winword.exe%” OR $ParentImage LIKE “%excel.exe%” OR $ParentImage LIKE “%powerpnt.exe%”) AND $Image LIKE “%control.exe%” AND $CommandLINE LIKE “%control.exe input.dll%”|
During the execution, Winword is observed to write in .cab, InetCache and .inf files to %temp%
|SELECT * FROM SYSMON-FILE WHERE ($Image LIKE “%winword.exe%” OR $Image LIKE “%excel.exe%” OR $Image LIKE “%powerpnt.exe%”) AND ($TargetFilename LIKE “%.cab%” OR TargetFilename LIKE “%Windows%INetCache%”)|
Response steps to be taken if compromised
- Isolate the machine from the network to disconnect attackers access from the network
- Identify the file that compromised the machine, get to know the source – email or website
- If it was from an email, identify all recipients receiving the email and recall them. Block the sender. Investigate all identified machines for file executions, consider them compromised.
- If it was from a website, identify all users accessing the URL, block the URL in your network and consider the users compromised.
- Investigate network connections from the compromised host or users.
- Delete the malicious identified file and its dependencies.
- Investigate common drop points/ registry entries in the compromised machine for eradication of malicious entities.
- Reset passwords for compromised accounts.
DNIF HyperScale SIEM provides a high value solution by combining advanced technologies such as the SIEM, UEBA, SOAR, and security data lake into one product at an extremely low Total Cost of Ownership to bring power and efficiency to security operation centres of all sizes. DNIF’s high-speed ingestion and performance ensures unlimited, scalable log data collection and threat detection using a cost-effective solution that offers not only high scalability across geographies, but also enhanced capabilities using behavioural analysis and ML-driven analytics. It uses the most up-to-date threat intelligence to quickly detect and mitigate emerging attacks and bridges the gap between searching, processing, analysing and visualising data. Its open architecture gives organisations a library of ready-to-use actions at their fingertips and the ability to build their own without any burden on their budget. DNIF offers solutions to the world’s most challenging cybersecurity problems and is used by some of the biggest players in the BFSI, NBFC, Telecom, and e-commerce space. A vast majority of managed security service providers use DNIF as their core for service delivery.