Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

Back
Id972c89fa-c969-4d12-932f-04d55d145299
Rulename[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsExecution
TechniquesT1203
Required data connectorsMicrosoftThreatProtection
SecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
Version2.0.0
Arm template972c89fa-c969-4d12-932f-04d55d145299.json
Deploy To Azure
( union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| extend FileName = Process, ProcessCommandLine = CommandLine
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(DeviceProcessEvents
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1 
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
| extend FileName = split(Image, '\\', -1)[-1]
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
)
)

entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
severity: High
name: '[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack'
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
id: 972c89fa-c969-4d12-932f-04d55d145299
kind: Scheduled
status: Available
queryFrequency: 1h
relevantTechniques:
- T1203
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
query: |
  ( union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where isnotempty(CommandLine)
  | extend FileName = Process, ProcessCommandLine = CommandLine
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
    or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (DeviceProcessEvents
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1 
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
  | extend FileName = split(Image, '\\', -1)[-1]
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
    or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
  )
  )  
version: 2.0.0
tactics:
- Execution
tags:
- CVE-2021-40444
- DEV-0413
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection