[et_pb_section fb_built=”1″ _builder_version=”4.16″ _module_preset=”default” da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”1_3″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Kevin Beaumont’s Blog Post” url=”https:\/\/doublepulsar.com\/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e” url_new_window=”on” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-13-at-09.36.08.png” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Kevin’s post contains links to tweets of researchers that discovered the 0day exploit, information on the timeline, and mitigations<\/p>\n
[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Huntress Labs Blog Post” url=”https:\/\/www.huntress.com\/blog\/microsoft-office-remote-code-execution-follina-msdt-bug” url_new_window=”on” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-13-at-09.39.03.png” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Explains the exploit in more detail<\/p>\n
[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Counter Measures” url=”https:\/\/twitter.com\/gentilkiwi\/status\/1531384447219781634″ image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2022\/06\/Screenshot-2022-06-13-at-09.45.35.png” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Recommended counter measures by Benjamin Deplhy<\/p>\n
[\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Check for matches with the following rules:<\/p>\n
Rules shared in the public signature-base<\/a> and used in THOR<\/a> and THOR Lite<\/p>\n Only available in THOR<\/p>\n Public Sigma rules used in Aurora<\/a>, THOR<\/a> and Aurora Lite<\/p>\n Private Sigma rules only available in Aurora<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.Kevin’s post contains links to tweets of researchers that discovered the 0day exploit, information on the timeline, and mitigationsExplains the exploit in more detailRecommended counter measures by Benjamin DeplhySignatures Detecting Follina \/ CVE-2022-30190 Attacks Check for matches with the following rules: YARA Rules shared in the public signature-base and used in THOR and THOR Lite SUSP_Doc_RTF_OLE2Link_Jun22 SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22 SUSP_DOC_RTF_ExternalResource_EMAIL_Jun22 SUSP_Msdt_Artefact_Jun22_2 SUSP_LNK_Follina_Jun22 SUSP_PS1_Msdt_Execution_May22 SUSP_Doc_WordXMLRels_May22 SUSP_Doc_RTF_ExternalResource_May22 EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 (previously: MAL_Msdt_MSProtocolURI_May22) Only available in THOR SUSP_PS1_Obfusc_Combo_Base64_CharacterConcatenation_May22 SUSP_PS1_Nested_InvokeExpression_May22 SUSP_Office_Cloaked_MHT_Moniker_Jun22 (uses external vars; not in Valhalla) EXPL_MAL_MalDoc_TemplateInjection_Jun22 SUSP_Encoded_Follina_CVE_2022_30190_Payloads_Jun22 SUSP_EXPL_Follina_CVE_2022_30190_Jun22_1 SUSP_EXPL_Follina_CVE_2022_30190_Jun22_2 EXPL_Encoded_CVE_2022_30190_Payloads_Jun22_1 Sigma Public Sigma rules used in Aurora, THOR and Aurora Lite Sdiagnhost Calling Suspicious Child Process – f3d39c45-de1a-4486-a687-ab126124f744 New Lolbin Process by Office Applications –\u00a023daeb52-e6eb-493c-8607-c4f0246cb7d8 MSDT Executed with Suspicious Parent – 7a74da6b-ea76-47db-92cc-874ad90df734 Execute Arbitrary Commands Using MSDT.EXE – 258fc8ce-8352-443a-9120-8a11e4857fa5 Microsoft Outlook Product Spawning Windows Shell – 208748f7-881d-47ac-a29c-07ea84bf691d Private Sigma rules only available in Aurora Sdiagnhost Loading System.Management.Automation.dll – 1a4a0e9c-e47d-492c-800f-545f83fac88a Sdiagnhost Calling Suspicious Descendant Process – 8655fa4b-e956-4ed4-b20d-151dfd8c802d<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":" [et_pb_section fb_built=\"1\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.<\/p> [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"1_3,1_3,1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"Explanation of the Vulnerability\" url=\"https:\/\/www.lunasec.io\/docs\/blog\/log4j-zero-day\/\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-12.12.53.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> LunaSec reported first on the vulnerability.<\/p> [\/et_pb_blurb][\/et_pb_column][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"Canary-based Vulnerability Detection\" url=\"https:\/\/twitter.com\/cyb3rops\/status\/1469405846010572816\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-11.45.25.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> Use this method to detect vulnerable applications and services in your organisation.<\/p> [\/et_pb_blurb][\/et_pb_column][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"Grep \/ ZGrep Detection Ideas\" url=\"https:\/\/gist.github.com\/Neo23x0\/e4c8b03ff8cdf1fa63b7d15db6e3860b\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-11.53.40.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> Different detection patterns and idea to detect exploitation attempts in log files using grep and zgrep.<\/p> [\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"1_3,1_3,1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"Log4Shell Detector Python Script\" url=\"https:\/\/github.com\/Neo23x0\/log4shell-detector\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/screen1.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> A python script that can be used to detect even the most obfuscated versions of the malicious payload.<\/p> [\/et_pb_blurb][\/et_pb_column][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"List of Advisories by Vendors\" url=\"https:\/\/gist.github.com\/SwitHak\/b66db3a06c2955a9cb71a8718970c592\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-11.50.10.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> Big collection of advisories and statements by different vendors that use JAVA and log4j.<\/p> [\/et_pb_blurb][\/et_pb_column][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"List of Vulnerable Software with PoCs\" url=\"https:\/\/github.com\/YfryTchsGD\/Log4jAttackSurface\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-13-at-11.38.45.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> Incomplete list of software products that have proven to be vulnerable.<\/p> [\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"1_3,1_3,1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"Log4Shell Vulnerability Scanner (Local Files)\" url=\"https:\/\/github.com\/hillu\/local-log4j-vuln-scanner\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-17.16.33.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> Scans the file system of application servers for vulnerable versions of the log4j module.<\/p> [\/et_pb_blurb][\/et_pb_column][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_blurb title=\"Fenrir Log4Shell Release\" url=\"https:\/\/github.com\/Neo23x0\/Fenrir\/releases\" url_new_window=\"on\" image=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-13-at-13.29.51.png\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"]<\/p> A bash based IOC scanner that can be used on any Linux\/Unix system to detect traces of the attack and vulnerable log4j versions.<\/p> [\/et_pb_blurb][\/et_pb_column][et_pb_column type=\"1_3\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.14.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.14.2\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p> Check for matches with the following rules:<\/p> YARA<\/p> Sigma<\/p> Look for matches with the following rules that trigger on activity observer in-the-wild.<\/p> YARA<\/p>\n
\n
Sigma<\/h3>\n
\n
\n
Signatures Detecting Log4Shell Attacks<\/h1>
Exploitation<\/h3>
UUID: 9be472ed-893c-4ec0-94da-312d2765f654)<\/li>
(UUID: 5ea8faa8-db8b-45be-89b0-151b84c82702)<\/li>
(UUID: 412d55bc-7737-4d25-9542-5b396867ce55)<\/li><\/ul>Post-Exploitation<\/h3>