Splunk Enterprise Security

Use Case

mrkrabhishek
New Member

Do we have any content to detect "Moniker Link" - CVE-2024-21413

Labels (1)
0 Karma

TheLawsOfChaos
Explorer

I know it's a little bit delayed, but due to the nature of the 0day from February you would need to know which method was being exploited (i.e. which characters the exact attack wanted to utilize).

That said, you could write a detection that checks for Outlook.exe (and all versions of it) connecting over port 445. If you have sysmon installed, you could use EventId 3's for this.

Florian Roth also wrote a YARA rule that could detect emails that have that malicious Moniker link in it : 

rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {
   meta:
      description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook"
      author = "X__Junior, Florian Roth"
      reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/"
      date = "2024-02-17"
      modified = "2024-02-19"
      score = 75
   strings:
      $a1 = "Subject: "
      $a2 = "Received: "
      $xr1 = /file:///\\[^"']{6,600}.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!/
   condition:
      filesize < 1000KB
      and all of ($a*)
      and 1 of ($xr*)
}

I hope that this late in the game, you have patched all your Outlook installations, and would instead go for detecting if any are unpatched.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...