[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack
| Id | 972c89fa-c969-4d12-932f-04d55d145299 |
| Rulename | [Deprecated] - MSHTML vulnerability CVE-2021-40444 attack |
| Description | This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy |
| Severity | High |
| Tactics | Execution |
| Techniques | T1203 |
| Required data connectors | MicrosoftThreatProtection SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml |
| Version | 2.0.0 |
| Arm template | 972c89fa-c969-4d12-932f-04d55d145299.json |
( union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| extend FileName = Process, ProcessCommandLine = CommandLine
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(DeviceProcessEvents
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
| extend FileName = split(Image, '\\', -1)[-1]
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
)
)
tactics:
- Execution
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
kind: Scheduled
query: |
( union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| extend FileName = Process, ProcessCommandLine = CommandLine
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(DeviceProcessEvents
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
| extend FileName = split(Image, '\\', -1)[-1]
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
)
)
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
version: 2.0.0
queryFrequency: 1h
queryPeriod: 1h
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
id: 972c89fa-c969-4d12-932f-04d55d145299
triggerThreshold: 0
severity: High
tags:
- CVE-2021-40444
- DEV-0413
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
name: '[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack'
relevantTechniques:
- T1203
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/972c89fa-c969-4d12-932f-04d55d145299')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/972c89fa-c969-4d12-932f-04d55d145299')]",
"properties": {
"alertRuleTemplateName": "972c89fa-c969-4d12-932f-04d55d145299",
"customDetails": null,
"description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
"displayName": "[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml",
"query": "( union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| extend FileName = Process, ProcessCommandLine = CommandLine\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(DeviceProcessEvents\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\nor ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1 \n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\"), ProcessCommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend FileName = split(Image, '\\\\', -1)[-1]\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\n)\n)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"CVE-2021-40444",
"DEV-0413"
],
"techniques": [
"T1203"
],
"templateVersion": "2.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}