Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

Back
Id972c89fa-c969-4d12-932f-04d55d145299
Rulename[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsExecution
TechniquesT1203
Required data connectorsMicrosoftThreatProtection
SecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
Version2.0.0
Arm template972c89fa-c969-4d12-932f-04d55d145299.json
Deploy To Azure
( union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where isnotempty(CommandLine)
| extend FileName = Process, ProcessCommandLine = CommandLine
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(DeviceProcessEvents
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1 
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
| extend FileName = split(Image, '\\', -1)[-1]
| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
)
)

name: '[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack'
query: |
  ( union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where isnotempty(CommandLine)
  | extend FileName = Process, ProcessCommandLine = CommandLine
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
    or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (DeviceProcessEvents
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
  or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1 
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | extend Image = column_ifexists("Image", ""), ProcessCommandLine = column_ifexists("CommandLine", "")
  | extend FileName = split(Image, '\\', -1)[-1]
  | where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')
    or ProcessCommandLine matches regex @'\".[a-zA-Z]{2,4}:\.\.\/\.\.'
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer
  )
  )  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
queryPeriod: 1h
version: 2.0.0
tactics:
- Execution
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml
relevantTechniques:
- T1203
id: 972c89fa-c969-4d12-932f-04d55d145299
tags:
- CVE-2021-40444
- DEV-0413
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
status: Available
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
queryFrequency: 1h