Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

Back
Id972c89fa-c969-4d12-932f-04d55d145299
Rulename[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsExecution
TechniquesT1203
Required data connectorsMicrosoftThreatProtection
SecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
Version2.0.0
Arm template972c89fa-c969-4d12-932f-04d55d145299.json
Deploy To Azure
( union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| extend FileName = Process, ProcessCommandLine = CommandLine
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(DeviceProcessEvents
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1 
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
| extend FileName = split(Image, '\\', -1)[-1]
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
)
)

query: |
  ( union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where isnotempty(CommandLine)
  | extend FileName = Process, ProcessCommandLine = CommandLine
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
    or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (DeviceProcessEvents
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1 
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
  | extend FileName = split(Image, '\\', -1)[-1]
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
    or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
  )
  )  
tags:
- CVE-2021-40444
- DEV-0413
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
name: '[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack'
status: Available
id: 972c89fa-c969-4d12-932f-04d55d145299
tactics:
- Execution
kind: Scheduled
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
version: 2.0.0
severity: High
relevantTechniques:
- T1203