Trellix Global Defenders: Follina — Microsoft Office Zero-Day (CVE-2022-30190)
By Taylor Mullins, Robin Noyce, Benjamin Marandel · June 3, 2022
Trellix is continuing to monitor the threat activity associated with the Microsoft Office Zero-Day vulnerability that has been dubbed “Follina.” Chinese-linked Threat Actors are actively exploiting this zero-day vulnerability to execute malicious code remotely. At the time of this writing there is no official patch from Microsoft, but steps and protections can be put into place to mitigate against the attacks utilizing this Microsoft vulnerability.
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
The method at which these attacks are taking place is using malicious Word documents that execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT). The ‘Follina’ zero-day features a remote code execution that works without elevated privileges, does not require macro enablement to execute binaries or scripts, and can bypass Windows Defender detection. Opening a Microsoft Word document in preview mode in Explorer is another method to detonate the malicious code which provides a vector for the exploitation to take place outside of the Protected View that Microsoft is reporting will prevent the attack. Furthermore, it is a signed binary, which enables the code to bypass windows validation controls. The Follina vulnerability is exploitable with Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
Microsoft recommended workaround for microsoft support diagnostic tool (MSDT)
Microsoft has released guidance on disabling the Microsoft Diagnostic Tool (MSDT) URL protocol. The Microsoft Support Diagnostic Tool (MSDT) is a tool designed to collect information to send to the Microsoft Support.
CISA: Microsoft Releases Workaround Guidance for MSDT "Follina" Vulnerability
Trellix product protections for follina vulnerability
Trellix is continuing to add protections via threat feeds and content updates to the Trellix products as Indicators of Compromises (IOCs) and behavioral techniques are detected in the wild. In addition, there are initiative-taking steps that can further protect your environment against the attacks targeting the Follina zero-day vulnerability.
Follina zero-day threat intelligence and hunting rules
MVISION Insights is continually updated with the latest threat intelligence and known indicators that are being discovered related to the Microsoft zero-day vulnerability. Additionally, applying hunting rules and threat intelligence across the security stack is key for early detection and identification of the Tactics, Techniques, and Procedures (TTPs) associated with Follina.
MVISION Insights Campaign Name - Follina — A Microsoft Office Code Execution Vulnerability
Utilizing expert and behavioral rules in trellix endpoint security
Trellix ENS Threat Prevention and Adaptive Threat Protection (ATP) monitor Microsoft Word process activity and the start of a child Command line processes is detected and blocked (if configured to) by ENS ATP. Trellix ENS can also block common processes like cmd.exe from being spawned by Microsoft Office applications in a suspicious manner. The following rules in Trellix ENS Exploit Prevention and Adaptive Threat Protection (ATP) are recommended to observe or block behavioral activity associated with exploitation techniques.
Exploit Prevention Signature 6113: T1055 - Fileless Threat: Reflective Self Injection
Exploit Prevention Signature 6127: Suspicious LSASS Access from PowerShell
Exploit Prevention Signature 6143: T1003 - Attempt to Dump Password Hash from SAM Database
Exploit Prevention Signature 8004: Fileless Threat: Malicious PowerShell Behavior Detected
ATP Rule 239: Identify suspicious command parameter execution
ATP Rule 263: Detect processes accessing suspicious URLs
ATP Rule 301: Blocks cmd.exe from being spawned by office applications
ATP Rule 332: Prevent certutil.exe from downloading or decoding files with suspect extensions
The Trellix Advanced Threat Research (ATR) team has also created the following ENS Expert Rule to prevent techniques associated with exploitation. Outlined below are several screenshots on how to create this specific Expert Rule in Trellix ENS. Per standard practice, we recommend that customers test this rule in Report Only before moving to Block mode.
Detect new code injection method in Microsoft Office CVE-2022-30190
How to Use Expert Rules in ENS to Prevent Malicious Exploits
Hunting for suspicious behavior with MVISION EDR
MVISION EDR has the capability to search across historical and real-time data on endpoints to identify specific activity associated with exploitation and the MSDT process. Several examples and queries are noted below for using Historical and Real-time searches to analyze the Microsoft Diagnostic Tool (MSDT) process activity and interaction with CMD and PowerShell.
Processes and HostInfo hostname where Processes name equals msdt.exe – Real-time search query to locate activity specific to the Microsoft Diagnostic Tool (MSDT) process
ProcessName = msdt.exe – Historical search string to locate prior activity from MSDT.exe across your endpoints even if they are currently offline.
Trellix network security platform signature release
Trellix has released a User-Defined Signature (UDS) for the Network Security Platform (NSP) to provide an immediate solution to this security advisory. Trellix writes and tests these signatures with the objective of a quick turnaround.
Knowledge Center - REGISTERED - NSP Emergency UDS Release Notes - UDS-HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (mcafee.com)
Microsoft: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
Huntress: Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack
Bleeping Computer: Windows MSDT zero-day now exploited by Chinese APT hackers
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.