Threat Overview – #MonikerLink
CVE-2024-21413 (MonikerLink) is a critical security vulnerability in the Microsoft Outlook software. This vulnerability, released by CheckPoint and Microsoft in February 2024, is suspected to impact all prior versions of Microsoft Outlook due to the method in which it interacts with COM API’s. CheckPoint research stated in their analysis of MonikerLink “we’ve confirmed this #MonikerLink bug/attack vector on the latest Windows 10/11 + Microsoft 365 (Office 2021) environments. Other Office editions/versions are likely affected (by MonikerLink), too. In fact, we believe this is an overlooked issue which existed in the Windows/COM ecosystem for decades, since it lies in the core of the COM APIs.” (CheckPoint, 2024). MonikerLink is being actively exploited.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Microsoft Outlook Communicating Over Unusual Ports – Potential Exploitation
This Hunt Package was originally generated in response to a critical vulnerability in Microsoft Outlook, tracked as CVE-2024-21413. In addition to this vulnerability, this Hunt Package identifies potentially suspect network activities over port 80 or 445. While Outlook may generate a normal request over port 80, singular requests can often be an indication of malice. In February 2024, a zero-day was announced in Microsoft Outlook, tracked as CVE-2024-21413. The vulnerability enables attackers to obtain NTLM hashes from targeted users. Additionally in some cases a remote code execution scenario can occur without user interaction after a malicious link is clicked inside an email. The malicious email will likely appear like a typical phishing email, however instead of prompting a user to ensure they want to open the link, it bypasses this security check and automatically downloads and opens the attacker controlled file. Initial POCs that surfaced after the vulnerability disclosure, utilized SMB shares, external to the target machine to host files for the malicious link to download/execute. It is important to note, at the time of this Hunt Package’s creation, it is unclear the extent of applications or file types that can be abused as part of this vulnerability. As such, aside from mshta, other likely suspicious applications have been included to provide a more complete picture if the vulnerability expands
Suspicious Child Process to Microsoft Outlook – Potential Outlook Exploitation or Suspicious Script Execution
This Hunt Package was originally created in response to a critical vulnerability in Outlook, tracked as CVE-2024-21413. In February 2024, a zero-day was announced in Microsoft Outlook, tracked as CVE-2024-21413. The vulnerability enables attackers to obtain NTLM hashes from targeted users. Additionally in some cases a remote code execution scenario can occur without user interaction after a malicious link is clicked inside an email. The malicious email will likely appear like a typical phishing email, however instead of prompting a user to ensure they want to open the link, it bypasses this security check and automatically downloads and opens the attacker controlled file. It is important to note, at the time of this Hunt Package’s creation, it is unclear the extent of applications or file types that can be abused as part of this vulnerability. As such, aside from mshta, other likely suspicious applications have been included to provide a more complete picture if the vulnerability expands.
Microsoft Office Parent of Suspicious LOLB
Microsoft Office products have various methods of calling Windows scripting and execution programs and binaries. This logic looks for common LOLB, such as cmd.exe, powershell.exe, mshta.exe and several others, that are abused to launch malicious programs and malware. The occurrence of Office products being a parent of these LOLB is an indication of malware attempting to communicate with its Command and Control, download additional files or perform other malicious actions in order to compromise the system.
Possible SMB/LDAP External Communication (CVE-2023-23397)
This hunt package is designed to identify potential instances of CVE-2023-23397, a critical Microsoft Outlook vulnerability that has the potential to enable attackers to compromise user credentials through external LDAP or SMB calls. The package focuses on identifying suspicious interactions between the System process (as associated processes) and external hosts which should be abnormal in most environments.
