Wazuh Detection Rules for MS RCE CVE-2022–30190, “Follina”.

Intro

References: Huntress Labs Blog

Microsoft CVE Info.

EDR: Wazuh agent + Sysmon with Mitre Enriched. Rules available in our Github Repo, rules file “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml”

Detection Rules

Child rules using “MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml” and adding additional conditions for spawned processes:

<!-- MS RCE "Follina" Detection Rules -->
<!-- regsvr32 Spawned by MS-OFFICE Processes-->
<rule id="100506" level="13">
<if_sid>100160</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- rundll32 Spawned by MS-OFFICE Processes-->
<rule id="100507" level="13">
<if_sid>100110</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- msiexec,verclsid,msdt Spawned by MS-OFFICE Processes-->
<rule id="100508" level="13">
<if_sid>100135</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>
<!-- mshta Spawned by MS-OFFICE Processes-->
<rule id="100509" level="13">
<if_sid>100163</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
<mitre>
<id>T1204</id>
<id>T1047</id>
<id>T1218</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_event1,windows_sysmon_event1,sysmon_anomaly</group>
</rule>

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).