KQL Search

Query Details

HomeAI ToolsDevice Query

Vuln CVE 2021 40444

Query

//CVE-2021-40444 hunting. Find device mshtml image load events initiated by common Office executables, then retrieve process events from the device in the same time period where the initiating process is an Office executable, but the process is different

//Data connector required for this query - M365 Defender - Device* tables or Advanced Hunting license

let process = dynamic(["winword.exe", "wordview.exe", "wordpad.exe", "powerpnt.exe", "excel.exe"]);
DeviceImageLoadEvents
| where FileName in ("mshtml.dll", "Microsoft.mshtml.dll")
| where InitiatingProcessFileName in~ (process) 
| project ImageLoadTime=TimeGenerated, DeviceName, InitiatingProcessFolderPath, 
    InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, 
    InitiatingProcessCommandLine
| join kind=inner (
    DeviceProcessEvents)
    on DeviceName
| extend ProcessTime = TimeGenerated
| extend FileNameLower = tolower(FileName)
| extend InitiatingFileNameLower = tolower(InitiatingProcessFileName)
| where InitiatingProcessFileName in~ (process)
| where FileNameLower != InitiatingFileNameLower
| where ProcessTime between ((ImageLoadTime-timespan(5min)).. (ImageLoadTime+timespan(5min)))
| project ImageLoadTime, ProcessTime, DeviceName, InitiatingProcessFileName, FileName

Explanation

This query is searching for events related to the CVE-2021-40444 vulnerability. It looks for image load events in the mshtml.dll file initiated by common Office executables. It then retrieves process events from the same device during the same time period where the initiating process is an Office executable, but the process is different. The query requires a data connector for M365 Defender's Device* tables or an Advanced Hunting license. The results include the image load time, device name, initiating process folder path, parent file name, parent creation time, and command line. The query also joins the DeviceProcessEvents table and filters the results based on certain conditions. The final results include the image load time, process time, device name, initiating process file name, and file name.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceImageLoadEventsDeviceProcessEvents

Keywords

Devices,Intune,User

Operators

inwhereprojectjoinextendtolowerbetweentimespan

Actions