Do we have any content to detect "Moniker Link" - CVE-2024-21413
I know it's a little bit delayed, but due to the nature of the 0day from February you would need to know which method was being exploited (i.e. which characters the exact attack wanted to utilize).
That said, you could write a detection that checks for Outlook.exe (and all versions of it) connecting over port 445. If you have sysmon installed, you could use EventId 3's for this.
Florian Roth also wrote a YARA rule that could detect emails that have that malicious Moniker link in it :
rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {
meta:
description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook"
author = "X__Junior, Florian Roth"
reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/"
date = "2024-02-17"
modified = "2024-02-19"
score = 75
strings:
$a1 = "Subject: "
$a2 = "Received: "
$xr1 = /file:///\\[^"']{6,600}.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!/
condition:
filesize < 1000KB
and all of ($a*)
and 1 of ($xr*)
}
I hope that this late in the game, you have patched all your Outlook installations, and would instead go for detecting if any are unpatched.