Wazuh Detection Rules for MS RCE CVE-2022–30190, “Follina”.

Intro

References: Huntress Labs Blog

Microsoft CVE Info.

EDR: Wazuh agent + Sysmon with Mitre Enriched. Rules available in our Github Repo, rules file “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml”

Detection Rules

Child rules using “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml” and adding additional conditions for spawned processes:

<!-- MS RCE "Follina" Detection Rules -->
<!-- regsvr32 Spawned by MS-OFFICE Processes-->
<rule id="100506" level="13">
  <if_sid>100160</if_sid>
  <field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
  <description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
  <mitre>
  <id>T1204</id>
  <id>T1047</id>
  <id>T1218</id>
  </mitre>
  <options>no_full_log</options>
  <group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- rundll32 Spawned by MS-OFFICE Processes-->
<rule id="100507" level="13">
  <if_sid>100110</if_sid>
  <field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
  <description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
  <mitre>
  <id>T1204</id>
  <id>T1047</id>
  <id>T1218</id>
  </mitre>
  <options>no_full_log</options>
  <group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- msiexec,verclsid,msdt Spawned by MS-OFFICE Processes-->
<rule id="100508" level="13">
  <if_sid>100135</if_sid>
  <field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
  <description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
  <mitre>
  <id>T1204</id>
  <id>T1047</id>
  <id>T1218</id>
  </mitre>
  <options>no_full_log</options>
  <group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- mshta Spawned by MS-OFFICE Processes-->
<rule id="100509" level="13">
  <if_sid>100163</if_sid>
  <field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
  <description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
  <mitre>
  <id>T1204</id>
  <id>T1047</id>
  <id>T1218</id>
  </mitre>
  <options>no_full_log</options>
  <group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html