Let's talk about a very unique detection. When the Follina is executed, the PCW.debugreport.xml file is generated inside any of the below locations-
The second file location is for elevated instances. Anyway, as you can see in the below image, we are even able to see which program was executed by Follina from this file-
Let's talk about other detections. There are some well known C2 URLs attributed to Follina, that are publicly revealed by security researchers. But, we can't just blacklist those URLs/IPs and think ourselves safe. Because, APT groups already started exploiting using the Follina. For example, Threat Insight shared a tweet that, TA413 CN APT is exploiting Follina. So, new URLs are coming continuously.
Let's share an additional detection. The below registry key stores remote destinations that MS Office was trying to reach-
So, we can check this registry key to find if there is any suspicious URL or, IP address. That might be a C2 URL for Follina exploitation. Thank you.
Md. Abdullah Al Mamun
Cyber Defence Engineer, CyDefOps