EXPLORE
Sign In
← Back to Explore
sublimecriticalRule

Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444. On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows. According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

MITRE ATT&CK

T1566.001T1204.002T1486T1190T1203T1059.005T1059
execution

Detection Query

type.inbound
and any(attachments,
        (
          (
            .file_extension in~ $file_extensions_macros
            or .file_extension =~ "rtf"
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
          )
          and any(file.oletools(.).relationships,
                  regex.icontains(.target, ".*html:http.*")
          )
        )
        or (
          .file_extension in~ $file_extensions_common_archives
          and any(file.explode(.),
                  .flavors.mime == "text/xml"
                  and any(.scan.strings.strings,
                          regex.icontains(., ".*oleObject.*mhtml.*http.*")
                  )
          )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Tags

CVE-2021-40444
Raw Content
name: "Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability"
description: |
  Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

  On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

  According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
references:
  - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444"
  - "https://twitter.com/buffaloverflow/status/1436261107329642522"
  - "https://twitter.com/jroosen/status/1435792491899494402"
  - "https://twitter.com/decalage2/status/1436433067619622916"
  - "https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/"
  - "https://twitter.com/aaaddress1/status/1436393045939814400"
type: "rule"
severity: "critical"
source: |
  type.inbound
  and any(attachments,
          (
            (
              .file_extension in~ $file_extensions_macros
              or .file_extension =~ "rtf"
              or (
                .file_extension is null
                and .file_type == "unknown"
                and .content_type == "application/octet-stream"
                and .size < 100000000
              )
            )
            and any(file.oletools(.).relationships,
                    regex.icontains(.target, ".*html:http.*")
            )
          )
          or (
            .file_extension in~ $file_extensions_common_archives
            and any(file.explode(.),
                    .flavors.mime == "text/xml"
                    and any(.scan.strings.strings,
                            regex.icontains(., ".*oleObject.*mhtml.*http.*")
                    )
            )
          )
  )
tags:
  - "CVE-2021-40444"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Exploit"
  - "Macros"
  - "Scripting"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
  - "Macro analysis"
  - "OLE analysis"
id: "8cefcf7f-2a48-5102-9b09-8db995759223"