Intro
Hello, respectful readers. Today I'll briefly discuss- how we can detect the new Follina exploitation. It's tracked as CVE-2022-30190. So, let's start.
Main Discussion
Let's talk about a very unique detection. When the Follina is executed, the PCW.debugreport.xml file is generated inside any of the below locations-
The second file location is for elevated instances. Anyway, as you can see in the below image, we are even able to see which program was executed by Follina from this file-
Source: Nasreddine Bencherchali
Let's talk about other detections. There are some well known C2 URLs attributed to Follina, that are publicly revealed by security researchers. But, we can't just blacklist those URLs/IPs and think ourselves safe. Because, APT groups already started exploiting using the Follina. For example, Threat Insight shared a tweet that, TA413 CN APT is exploiting Follina. So, new URLs are coming continuously.
Hopefully, Microsoft has shared a guidance for this new CVE. But, we can also use custom detections. There is a YARA rule shared by Florian Roth. And here is an Elastic EQL query from Brent Murphy.
Let's share an additional detection. The below registry key stores remote destinations that MS Office was trying to reach-
HKEY_USERS\<SID>\SOFTWARE\MICROSOFT\
Office\16.0\Common\Internet\Server Cache
Source: Isa AlMannaei
Md. Abdullah Al Mamun
Cyber Defence Engineer, CyDefOps