Query Details
Detect CVE 2024 43572 Abuse
Query
// Detect CVE-2024-43572 Abuse // In Microsoft’s October security update, they highlighted that attackers are actively exploiting CVE-2024-43572, a remote code execution (RCE) flaw in the Microsoft Management Console (MMC). The patch released by Microsoft aims to prevent “untrusted Microsoft Saved Console (MSC) files from being opened,” thereby protecting customers from the associated risks. // Security researchers at Elastic Security have observed threat actors using specially crafted MMC files, named GrimResource, for initial access and defense evasion. Although Microsoft did not address this specific point in their latest patch update, I took it upon myself to investigate the extent of this .msc vulnerability abuse using the SHA1 of GrimResource. To my astonishment, this .msc file has been detected in 260 organizations worldwide from June 26 to September 2. This significant number of affected organizations underscores the importance of Microsoft’s patch to block untrusted .msc files. // While waiting for the October patch to be applied to all Windows servers and workstations, here’s an MDE KQL to detect unknown .msc files created on endpoints (excluding servers and admin endpoints where MMC is frequently run): let CriticalIdentities = ExposureGraphNodes | where set_has_element(Categories, "identity") | where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 | distinct NodeName; let AdminDevices = ExposureGraphEdges | where EdgeLabel == @"can authenticate to" | join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId | extend DName = tostring(NodeProperties.rawData.deviceName) | extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin | where SourceNodeName has_any (CriticalIdentities) | distinct DName; let ServerDevice = DeviceInfo | where OSPlatform contains "server" | distinct DeviceName; DeviceFileEvents | where ActionType == @"FileCreated" | where FileName endswith ".msc" | where not (DeviceName has_any(AdminDevices)) | where not (DeviceName has_any (ServerDevice)) // MITRE ATT&CK Technique // T1210 - Exploitation of Remote Services
Explanation
This query is designed to detect potential abuse of a specific security vulnerability, CVE-2024-43572, which is a remote code execution flaw in the Microsoft Management Console (MMC). Here's a simplified breakdown of what the query does:
-
Background: The vulnerability allows attackers to exploit untrusted Microsoft Saved Console (MSC) files. Microsoft released a patch to prevent these files from being opened, but attackers have been using specially crafted files, known as GrimResource, to gain initial access and evade defenses.
-
Objective: The query aims to identify unknown .msc files being created on endpoints, excluding servers and administrative endpoints where MMC is commonly used. This helps in detecting potential exploitation attempts before the patch is fully applied across all systems.
-
Steps in the Query:
- Identify Critical Identities: It first identifies critical user identities with a certain level of criticality.
- Identify Admin Devices: It then identifies devices where these critical identities can authenticate and have local admin rights.
- Identify Server Devices: It also identifies devices running server operating systems.
- Detect Unknown .msc Files: Finally, it searches for .msc files being created on devices that are not identified as admin or server devices. This helps in spotting potentially malicious files that could be exploiting the vulnerability.
-
Security Context: The query is aligned with the MITRE ATT&CK framework, specifically technique T1210, which involves the exploitation of remote services.
In essence, this query is a proactive measure to detect suspicious activity related to the CVE-2024-43572 vulnerability by monitoring the creation of .msc files on non-admin and non-server devices.
Details
Steven Lim
Released: October 10, 2024
Tables
Keywords
Operators