Query Details
Outlook Monikerlink Zeroday
Query
DeviceProcessEvents
| where ProcessCommandLine contains "rundll32.exe C:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie"
| where ProcessCommandLine contains "http" or ProcessCommandLine contains "https"
| where ProcessCommandLine matches regex @"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
//| where not(ProcessCommandLine contains "10." or ProcessCommandLine contains "172." or ProcessCommandLine contains "192.168")
| project-reorder Timestamp, AccountUpn, ProcessCommandLineExplanation
A special crafted link can bypass the existing Outlook security restriction for remote files. This query detects a potential successful exploitation of the MonikerLink bug in Microsoft office products, like outlook. The detection logic does so by checking if the processcommandline contains davclnt.dll,DavSetCookie, which is an extension of the HTTP protocol that allows clients to perform remote web content operations. Hereafter the regex searches for valid IPv4 addresses in the processcommandline field. The query is build on the hypothesis that a user clicked the following link from an outlook client: file:///\<IPv4><string><file.extension>!something
Details
@b41ss
Released: June 7, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessCommandLine,http,https,regex,Timestamp,AccountUpn.
Operators
wherecontainsormatches regexproject-reorder