Detect MSDT 0day – Follina

Intro

Hello, respectful readers. Today I'll briefly discuss- how we can detect the new Follina exploitation. It's tracked as CVE-2022-30190. So, let's start.


Main Discussion

Let's talk about a very unique detection. When the Follina is executed, the PCW.debugreport.xml file is generated inside any of the below locations-

  %LocalAppData%\Diagnostics

  %LocalAppData%\ElevatedDiagnostics


The second file location is for elevated instances. Anyway, as you can see in the below image, we are even able to see which program was executed by Follina from this file-


Let's talk about other detections. There are some well known C2 URLs attributed to Follina, that are publicly revealed by security researchers. But, we can't just blacklist those URLs/IPs and think ourselves safe. Because, APT groups already started exploiting using the Follina. For example, Threat Insight shared a tweet that, TA413 CN APT is exploiting Follina. So, new URLs are coming continuously.


Hopefully, Microsoft has shared a guidance for this new CVE. But, we can also use custom detections. There is a YARA rule shared by Florian Roth. And here is an Elastic EQL query from Brent Murphy.


Let's share an additional detection. The below registry key stores remote destinations that MS Office was trying to reach-

 HKEY_USERS\<SID>\SOFTWARE\MICROSOFT\

Office\16.0\Common\Internet\Server Cache

Source: Isa AlMannaei


So, we can check this registry key to find if there is any suspicious URL or, IP address. That might be a C2 URL for Follina exploitation. Thank you.



Md. Abdullah Al Mamun

Cyber Defence Engineer, CyDefOps