CVE-2021-40444 - MSHTML RCE

CVE-2021-4044 refers to the MSHTML engine, that has been found vulnerable to arbitrary code execution by a specially crafted Microsoft Office document or rich text format file. Mitigations: * Microsoft official patch addressing CVE-2021-40444 * Several workarounds suggested by Microsoft. Researchers have validated this attack triggered in Windows Explorer with “Preview Mode” enabled, even in just a rich-text format RTF file (not an Office file and without ActiveX). This indicates it can be exploited even without opening the file and this invalidates Microsoft’s workaround mitigation mentioned above. This playbook should be trigger manually and includes the following tasks: * Collect related known indicators from several sources. * Indicators, Files and Process creation patterns hunting using PAN-OS, Cortex XDR and SIEM products. * Block indicators automatically or manually. * Provide workarounds and detection capabilities. * Microsoft official CVE-2021-40444 patch. More information: [Microsoft MSHTML Remote Code Execution Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2021-40444 - MSHTML RCE · 56 tasks · 6 inputs · 0 outputs

Inputs

  • YaraRulesSource — The source of the Yara rules
  • SigmaRulesSource — The source of the Sigma rules
  • SplunkEarliestTime — The earliest time for the Splunk search query.
  • SplunkLatestTime — The latest time for the Splunk search query.
  • BlockIndicatorsAutomatically — Whether to automatically block the indicators involved.
  • QRadarTimeRange — The time range for the QRadar search query.

Commands used

associateIndicatorsToIncident closeInvestigation extractIndicators linkIncidents qradar-searches setIndicators splunk-search

Flowchart

yes Yes Yes yes No Yes yes Start Start Collect Indicators Collect Indicators Collect indicators from HUNTRESS - ParseHTMLIndicators Collect indicators from H... ParseHTMLIndicators Collect indicators from Picussecurity - ParseHTMLIndicators Collect indicators from P... ParseHTMLIndicators Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Download Yara Rules - http Download Yara Rules http Download Sigma Rules - http Download Sigma Rules http Tag and Link Indicators Tag and Link Indicators Tag File indicators - setIndicators Tag File indicators setIndicators Tag IP indicators - setIndicators Tag IP indicators setIndicators Tag Domain indicators - setIndicators Tag Domain indicators setIndicators Tag URL indicators - setIndicators Tag URL indicators setIndicators Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident SIEM Hunting SIEM Hunting Palo Alto Networks Hunting Palo Alto Networks Hunting Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Search Endpoints By Hash - Generic V2 - Search Endpoints By Hash - Generic V2 Search Endpoints By Hash ... Search Endpoints By Hash - Ge... Hunting For Endpoint IoCs Hunting For Endpoint IoCs Search XDR incidents for CVE-2021-40444 related behavior - SearchIncidentsV2 Search XDR incidents for ... SearchIncidentsV2 Is Cortex XDR enabled? Is Cortex XDR enabled? SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? Is Splunk Enabled? Endpoint Enrichment - Generic v2.1 - Endpoint Enrichment - Generic v2.1 Endpoint Enrichment - Gen... Endpoint Enrichment - Generic... Threat Hunting Threat Hunting Hunting Cortex XDR Signatures Hunting Cortex XDR Signat... Is QRadar Enabled? Is QRadar Enabled? Search for suspicious file creation under INETCACHE - qradar-searches Search for suspicious fil... qradar-searches Search for suspicious file creation under INETCACHE - splunk-search Search for suspicious fil... splunk-search Search for suspicious process creation pattern - splunk-search Search for suspicious pro... splunk-search Search for suspicious process creation pattern - qradar-searches Search for suspicious pro... qradar-searches Remediation Remediation Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2 Block indicators automatically? Block indicators automati... Block indicators manually Block indicators manually Deploy YARA rules Deploy YARA rules Deploy Sigma rules Deploy Sigma rules Deploy Detection Rules Deploy Detection Rules Mitigation Mitigation Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Disable ActiveX controls via Group Policy Disable ActiveX controls ... Disable ActiveX controls on an individual system via regkey Disable ActiveX controls ... Disable preview in Windows Explore Disable preview in Window... Deploy Microsoft Workarounds Deploy Microsoft Workarounds Detections & Workarounds Detections & Workarounds Link related incidents - linkIncidents Link related incidents linkIncidents Hunting Cortex XDR XQL Queries Hunting Cortex XDR XQL Qu... Look for potential CVE-2021-40444 exploitation attempts Look for potential CVE-20... Are there incidents to link? Are there incidents to link? Resolution Resolution Install Microsoft official patch Install Microsoft officia...