We recommend implementing generic countermeasures against entry-level threats. For more information, see:
KB91836 - Countermeasures for entry vector threats. Of the recommended steps outlined in the article, some success has been shown with ENS Exploit Prevention signature "2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability" against known IOCs, although this rule is considered aggressive and might result in false positives. So, you should completely test this recommendation before applying it to production systems.
Administrators and analysts can use the following
EDR Real-Time Search to help identify potential behavior from the exploit in environments. The query identifies systems with
WinWord.exe as a running process, where
MSHTML.dll is currently loaded.
HostInfo hostname and LoadedModules where LoadedModules process_name contains "winword" and LoadedModules module_name contains "mshtml"
The following
ENS Exploit Prevention Expert Rule has been created to provide additional coverage to this threat. This rule has been updated to minimize false positives. But, you should still thoroughly test the rule before applying it to production systems. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule doesn’t block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.
Rule Class: Processes
Rule {
Process {
Include OBJECT_NAME { -v "winword.exe" }
Include OBJECT_NAME { -v "excel.exe" }
Include OBJECT_NAME { -v "powerpnt.exe" }
Include AggregateMatch -xtype "switch1" {
Include DLL_LOADED -name "ieframe" { -v 0x1 }
}
Include AggregateMatch -xtype "switch2" {
Include DLL_LOADED -name "MSHTML" { -v 0x1 }
}
Include AggregateMatch -xtype "switch3" {
Include DLL_LOADED -name "urlmon" { -v 0x1 }
}
Include AggregateMatch -xtype "switch4" {
Include DLL_LOADED -name "wininet" { -v 0x1 }
}
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "control.exe" }
Include -access "CREATE"
}
}
}
On September 14, 2021, we released a new
Network Security signature set (10.8.25.1) for the Network Security Platform (NSP) containing coverage for CVE-2021-40444. For more information, see:
KB94886 - REGISTERED - Network Security Signature Sets Release Bulletin (10.8.25.1).
NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.
HIGH - HTTP: Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) (0x45299800):Exploit:
This alert indicates an attempt to exploit a remote code execution vulnerability in Microsoft Office document. This alert requires the HTTP response feature to be enabled. This attack won’t be detected if HTTP response option is disabled.
Further coverage opportunities are currently being evaluated.