OverWatch Casts a Wide Net for Follina: Hunting Beyond the Proof of Concept
CVE-2022-30190, aka Follina, was published by @nao_sec on Twitter on May 27, 2022 — the start of Memorial Day weekend in the U.S. — highlighting once again the need for round-the-clock cybersecurity coverage. Threat hunting in particular is critical in these instances, as it provides organizations with the surge support needed to combat adversaries and thwart their objectives.
The Follina vulnerability, classified as a zero-day, can be invoked via weaponized Office documents, Rich Text Format (RTF) files, XML files and HTML files. Moreover, there are a variety of ways this vulnerability can be used in the wild. As always, OverWatch threat hunters are casting a wide net in hunting for this activity — protecting customers against both known and unknown threats.
The CrowdStrike Falcon®® platform protects customers from current Follina exploitation attempts using behavior-based indicators of attack (IOAs). As described in depth in this CrowdStrike blog about Follina, the Falcon sensor has detection and prevention logic that addresses exploitation of this vulnerability. With “Suspicious Process Blocking” enabled, Falcon will block code execution attempts from
msdt.exe. Even without “Suspicious Process Blocking” enabled, the Falcon sensor will still generate a detection in the Falcon console.
Today’s determined adversaries, however, are known to be persistent and agile in their attempts to circumvent automated detections. OverWatch remains vigilant in tracking this new threat as it evolves to provide a strong last line of defense.
Hunting for Follina
As with previous zero-day disclosures, OverWatch’s approach to hunting remains unchanged. OverWatch hunts specifically for hands-on-keyboard activity — not initial access vectors. Laser-focusing resources on post-exploitation behavior is a proven strategy that has effectively and efficiently uncovered sophisticated adversaries leveraging prior zero-day vulnerabilities, such as the Log4j vulnerability.
Over Memorial Day weekend, OverWatch analysts were on high-alert, actively monitoring various open source intelligence outlets that showed early signs of an influx in
Initial publications demonstrated a successful proof-of-concept utilizing Microsoft Word (
winword.exe) as the parent process to
msdt.exe. While OverWatch has also observed
winword.exe as the predominant parent process leveraged for exploitation of Follina, threat hunters have also seen
powershell.exe used as parent processes. The process tree below illustrates an attempted Follina exploitation as part of likely adversary emulation activity observed by OverWatch:
Looking at the commands run as part of this adversary emulation, OverWatch observed an attempt to use
regsvr32.exe to execute a malicious DLL file:
C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(start-process('powershell')(@('regsvr32.exe','-u','C:\Users\Public\Documents\customDLL_stageless64.dll')))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"
This is an example of Exploitation for Client Execution (T1203), leading to the often-observed System Binary Proxy Execution (T1218) technique. This technique is leveraged in an attempt to evade endpoint detection and response teams and give a façade of legitimacy to malicious processes. By choosing to utilize the Follina vulnerability in such a way, an adversary is able to nest instances of System Binary Proxy Execution using several legitimate, signed Microsoft executables to facilitate the execution of malicious code:
winword.exe(Microsoft Word Binary)
msdt.exe(Microsoft System Diagnostic Tool)
regsvr32.exe(DLL Registration Service Binary)
The primary threat posted by such nested obfuscation attempts is simple — by creating a complex process tree, which appears to be normal system behavior, adversaries can attempt to delay or avoid detection entirely. While the Falcon sensor does detect this type of activity, less mature security solutions, as well as systems administrators or less experienced security operation center analysts, may not alert on this activity and/or deem it malicious.
Advanced Exploitation Technique Hunting
In addition to Microsoft Office products utilizing
ms-msdt, PowerShell also executes any code via
msdt.exe as it trusts Microsoft Protocol URIs. Therefore, adversaries can leverage the built-in web parsing capabilities of PowerShell to download malicious HTML containing
ms-msdt directives. This allows the adversary to obfuscate any further commands by leveraging
msdt.exe to execute arbitrary code as opposed to using Command and Scripting Interpreter (T1059) directly. Since adversaries can use
wget to facilitate further action on objectives within the environment, OverWatch continues to hunt for malicious instances or anomalies surrounding the use of PowerShell’s built-in web request capabilities.
When hunting for Follina exploitation strings utilizing
iwr, it is important to remember that they are aliases for the PowerShell cmdlet
Invoke-WebRequest and as a result, the alias will not appear in the process tree.
Utilizing an Event Search query developed by the OverWatch team, you can search for abuse of
msdt.exe in your environment:
event_simpleName=ProcessRollup2 event_platform=win FileName=msdt.exe | search (PCWDiagnostic AND ms-msdt:) | eval ProcessExplorer="https://falcon.crowdstrike.com/investigate/process-explorer" | strcat ProcessExplorer "/" aid "/" TargetProcessId_decimal "?_cid=" cid ProcessExplorerURL | table _time ParentBaseFileName CommandLine ComputerName UserName ProcessExplorerURL | sort + _time
The first two lines of the query look for any executions of
msdt.exe where the process event contains two keywords that are known to be present in successful exploitation attempts within the process command line. The third and fourth lines construct a Process Explorer link to the relevant
msdt.exe process, which can be useful for triaging the executions. The final two lines format the results in a table, and sort them chronologically.
Please note that depending on which Falcon cloud you reside in, you may need to adjust the second line of the query which is used to generate a Process Explorer link:
|Cloud||PrEx URL String|
The announcement of Follina follows a trend that OverWatch has observed in which zero-day exploits are released leading up to or on a long weekend. Holiday weekends are an opportune time for adversaries to exploit zero-days as organizations tend to have reduced resources available and respond slower to threats.
OverWatch, armed with the power of CrowdStrike Security Cloud, leverages statistical-, hypothesis- and intelligence-driven threat hunting 24/7/365 to discover malicious artifacts and detection methods not accounted for in automated, passive monitoring. As new vulnerabilities like Follina hit the news, OverWatch immediately begins analyzing customer environments for threat activity and alerts them to risks. OverWatch’s hunting methodology moves beyond the zero-day, protecting customers against all threats regardless of the initial access vector.
OverWatch Elite builds on the 24/7 threat hunting operations provided as a part of OverWatch standard and includes additional services, such as: 60-minute call escalation for critical threats, quarterly threat briefings, tailored threat hunting and more. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.
- Learn more about Falcon OverWatch’s proactive managed threat hunting.
- Discover the power of tailored threat hunting OverWatch Elite provides customers in this blog post.
- Watch how Falcon OverWatch proactively hunts for threats in your environment.
- Read more about how part-time threat hunting is simply not enough in this blog post.
- Learn more about the CrowdStrike Falcon®® platform.