CVE-2021-40444 - MSHTML RCE
This Playbook is part of the CVE-2021-40444 - MSHTML RCE Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
CVE-2021-4044 refers to the MSHTML engine, that has been found vulnerable to arbitrary code execution by a specially crafted Microsoft Office document or rich text format file.
Mitigations:
- Microsoft official patch addressing CVE-2021-40444
- Several workarounds suggested by Microsoft.
Researchers have validated this attack triggered in Windows Explorer with “Preview Mode” enabled, even in just a rich-text format RTF file (not an Office file and without ActiveX). This indicates it can be exploited even without opening the file and this invalidates Microsoft’s workaround mitigation mentioned above.
This playbook should be trigger manually and includes the following tasks:
- Collect related known indicators from several sources.
- Indicators, Files and Process creation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
- Block indicators automatically or manually.
- Provide workarounds and detection capabilities.
- Microsoft official CVE-2021-40444 patch.
More information: Microsoft MSHTML Remote Code Execution Vulnerability
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Palo Alto Networks - Hunting And Threat Detection
- Splunk Indicator Hunting
- Search Endpoints By Hash - Generic V2
- Endpoint Enrichment - Generic v2.1
- QRadar Indicator Hunting V2
- Block Indicators - Generic v3
Integrations#
This playbook does not use any integrations.
Scripts#
- SearchIncidentsV2
- http
- ParseHTMLIndicators
Commands#
- extractIndicators
- associateIndicatorsToIncident
- setIndicators
- qradar-searches
- splunk-search
- closeInvestigation
- linkIncidents
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| YaraRulesSource | The source of the Yara rules | https://github.com/Neo23x0/signature-base/blob/master/yara/expl_cve_2021_40444.yar | Optional |
| SigmaRulesSource | The source of the Sigma rules | https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/win_file_winword_cve_2021_40444.yml | Optional |
| SplunkEarliestTime | The earliest time for the Splunk search query. | -7d | Optional |
| SplunkLatestTime | The latest time for the Splunk search query. | now | Optional |
| BlockIndicatorsAutomatically | Whether to automatically block the indicators involved. | False | Optional |
| EDLDomainBlocklist | The name of the EDL Domain Block List. | Demisto Remediation - Domain EDL | Optional |
| QRadarTimeRange | The time range for the QRadar search query. | LAST 7 DAYS | Optional |
| AutoBlockIndicator | If set to True Indicators will be blocked automatically. Default:False | True | Optional |
| UserVerification | The User Need to verify the indicators before blocking Default:True | False | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
