{"id":3192,"date":"2021-09-10T15:34:20","date_gmt":"2021-09-10T15:34:20","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3192"},"modified":"2026-06-08T22:54:17","modified_gmt":"2026-06-08T22:54:17","slug":"mshtml-vulnerability-defence-hunting","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/mshtml-vulnerability-defence-hunting\/","title":{"rendered":"MSHTML vulnerability \u2014 Defence and Threat Hunting"},"content":{"rendered":"\n

The vulnerability<\/a> CVE-2021-40444<\/strong> affects the MSHTML<\/strong> engine of Internet Explorer.
Although the use of Internet Explorer<\/strong> has declined significantly for web browsing, many software applications use it as an internal engine, particularly all Microsoft Office<\/strong> applications (Word and PowerPoint).<\/p>\n

This vulnerability enabled the creation of malware<\/strong> that exploits it to compromise systems through the delivery of malicious Microsoft Office documents<\/strong>.<\/p>\n

We conducted threat hunting<\/strong> activities to identify potential attacks of this type within monitored networks.<\/p>\n\n\n\n

Threat Hunting Activities<\/h1>\n\n\n\n

Our analyst team conducted threat hunting<\/strong> activities to identify potential compromises related to the described vulnerability.<\/p>\n

The first search consists of identifying disk writes of executable files with the .inf<\/strong> extension:<\/p>\n\n\n\n

event_platform=win event_simpleName=PeFileWritten\n| search FileName=\"*.inf\"\n| stats dc(aid) as uniqueSystems, count(aid) as totalWrites values(FilePath) as filePaths by FileName\n| sort + totalWrites\n<\/pre>\n\n\n\n
The second search allows identification of specific parameters in the command line launched by the rundll32 process within the “control.exe” context, to identify the initiation of early exploitation phases:<\/p>\n\n\n\n
event_platform=win event_simpleName=ProcessRollup2 \nFileName=rundll32.exe ParentBaseFileName=control.exe\n| search CommandLine=\"*.inf*\"\n| stats dc(CommandLine) as cmdLineVarations\n dc(aid) as uniqueEndpoints count(aid) as totalExecutions \nvalues(CommandLine) as commandLines by FileName, ParentBaseFileName\n<\/pre>\n\n\n\n
Attack Details<\/h2>\n\n\n\n
The malicious file can be sent as a Microsoft Office document<\/strong> attached to an email message<\/strong>. Opening the malicious file would initiate the system compromise process.<\/p>\n
Microsoft Office<\/strong> uses Protected View<\/strong> and Application Guard<\/strong> for Office to prevent attacks from documents received over the Internet. However, users can click the “Enable Editing<\/strong>” button, thereby disarming Microsoft’s security mechanisms.<\/p>\n
The attack begins through the HTML file embedded in the Word document and initiates the download of the “side.html” file.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Subsequently, a .CAB<\/strong> file is downloaded and extracted as a DLL<\/strong>. Finally, the extracted file named “championship.inf” is executed. Execution of this file exploits a directory traversal attack<\/strong>, which consists of exploiting insufficient security validation of user-supplied files. Detection of such activity patterns through Managed SOC<\/a> capabilities enables rapid identification of post-exploitation indicators.<\/p>\n
The final malware payload is a Cobalt Strike beacon<\/strong> that is launched on the victim’s machine.<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"
MSHTML vulnerability defensive approach: telemetry sources, hunting queries, indicators of exploitation and detection rules for SOC teams.<\/p>\n","protected":false},"author":1,"featured_media":2615,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1491,1643,3237,1645,1647,3238,353,1649],"class_list":["post-3192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cve-it","tag-cve-2021-40444-it","tag-detection-rules","tag-exploit-it","tag-mshtml-it","tag-office-exploitation","tag-threat-hunting","tag-vulnerabiliy-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3192"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3192\/revisions"}],"predecessor-version":[{"id":9883,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3192\/revisions\/9883"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}