Detecting Windows Installer Zero-Day (CVE-2021-41379) Exploits

[post-views]
November 25, 2021 · 5 min read
Detecting Windows Installer Zero-Day (CVE-2021-41379) Exploits

A moment of luck for threat actors and yet another major headache for cyber defenders! On November 22, 2021, security researcher Abdelhamid Naceri released a fully-functional proof-of-concept (PoC) exploit for the new Windows Installer zero-day vulnerability. The flaw (CVE-2021-41379) allows adversaries to obtain SYSTEM privileges on any device running Windows 10, Windows 11, and Windows Server. Obviously, it didn’t take long to observe attacks leveraging the notorious security issue in the wild.

InstallerFileTakeOver PoC for CVE-2021-41379

The vulnerability in question is a Windows Installer elevation of privilege (EoP) bug initially patched by Microsoft in November 2021. Yet, the bug was not fixed properly, which allowed Abdelhamid Naceri, the researcher who revealed the issue, to find a way to overcome the protections. What is worse, during his investigation, Naceri discovered a much more severe EoP glitch that affects all currently supported Windows versions.

Based on his findings, Naceri released a fully-fledged PoC exploit, dubbed “InstallerFileTakeOver”. If exploited, the PoC allows hackers to reach admin privileges when logged into a Windows machine with Edge installed. This malicious routine is performed by overwriting Microsoft Edge Elevation Service DACL to replace any executable file on the system with an MSI file. As a result, an adversary can run any malicious code as an administrator. Notably, InstallerFileTakeOver allows bypassing the group policies that prevent “Standard” users from launching MSI installer operations, making the PoC exploit even more dangerous.

According to the Bleeping Computer commentary, Naceri decided to release the proof-of-concept exploit for CVE-2021-41379 to protest against significantly decreased bug bounty rewards by Microsoft. And threat actors are taking advantage of this. The Cisco Talos Security Intelligence and Research group reports that the PoC is successfully reproduced. Moreover, researchers provide evidence of the exploit being actively utilized in the wild.

CVE-2021-41379 Detection and Mitigation

The PoC can be successfully exploited on any Windows device, including fully-patched Windows 10, Windows 11, and Windows Server 2022 machines. Experts recommend avoiding any mitigation attempts due to the risk of breaking Windows Installer. The best decision in this situation is to wait for Microsoft’s December Patch Tuesday Release, which most likely will bring the CVE-2021-41379 patch.

To identify the malicious activity associated with Windows Installer zero-day, security practitioners can download a set of curated Sigma rules available in SOC Prime’s Detection as Code platform:

LPE InstallerFileTakeOver PoC CVE-2021-41379

The detection has translations for the following SIEM & XDR platforms: Azure Sentinel, Splunk, ELK Stack, Sumo Logic, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, Apache Kafka ksqlDB, and Securonix.

The rule is aligned with the latest ATT&CK® framework v.10 addressing the Initial Access tactic and the Exploit Public-Facing Application technique (T1190).

Possible InstallerFileTakeOver LPE CVE-2021-41379

The detection has translations for the following SIEM  & XDR platforms: Azure Sentinel, Splunk, ELK Stack, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Microsoft Defender ATP, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, and Securonix.

The rule is aligned with the latest MITRE ATT&CK framework v.10 addressing the Privilege Escalation tactic with Exploitation for Privilege Escalation as the main technique (T1068).

InstallerFileTakeOver LPE CVE-2021-41379 File Create Event

The detection has translations for the following SIEM  & XDR platforms: Azure Sentinel, Chronicle Security, Splunk, ELK Stack, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Microsoft Defender ATP, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, and Apache Kafka ksqlDB.

The rule is aligned with the latest MITRE ATT&CK framework v.10 addressing the Privilege Escalation tactic and the Exploitation for Privilege Escalation technique (T1068).

Possible InstallerFileTakeOver [CVE-2021-41379] Exploitation Activity (via file event)

The detection has translations for the following SIEM & XDR platforms: Azure Sentinel, Chronicle Security, Splunk, ELK Stack, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Microsoft Defender ATP, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, and Securonix.

The rule is aligned with the latest MITRE ATT&CK framework v.10 addressing the Defense Evasion tactic. More specifically, the detection addresses the File and Directory Permissions Modification (T1222) technique with its sub-technique File and Directory Permissions Modification: Windows File and Directory Permissions Modification (T1222.001).

Register to SOC Prime’s Detection as Code platform for free and take your threat discovery and threat hunting operations to the next level. Instantly hunt for the latest threats within 20+ supported SIEM and XDR technologies, boost the awareness of all the latest attacks in the context of exploited vulnerabilities and MITRE ATT&CK matrix, and streamline your security operations. Eager to make the world a safer place? Join our Threat Bounty program, share your Sigma and Yara rules via the Threat Detection Marketplace repository, and get recurrent rewards for your individual contribution! Refer to our guide for berginners to learn what are Sigma rules and how to create them.

Go to Platform Join Threat Bounty

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts