Potential CVE-2021-41379 Exploitation Attempt

    Friday, January 3, 2025 In: Threat Research Print

    Date: 01/03/2025

    Severity: Medium

    Summary

    A potential CVE-2021-41379 Exploitation Attempt refers to the detection of attempts to exploit a local privilege escalation (LPE) vulnerability, CVE-2021-41379, known as InstallerFileTakeOver. In this vulnerability, an attacker triggers a cmd.exe process as a child of the Microsoft Edge elevation service, elevation_service, while inheriting LOCAL_SYSTEM rights. This allows the attacker to gain elevated privileges on the affected system, potentially enabling unauthorized actions with administrative-level access.

    Indicators of Compromise (IOC) List

    Image

    '\cmd.exe'

    '\powershell.exe'

    '\pwsh.exe'

    OriginalFileName

    'Cmd.Exe'

    'PowerShell.EXE'

    'pwsh.dll'

    ParentImage

    '\elevation_service.exe'

    IntegrityLevel

    'System'

    'S-1-16-16384'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename in ("Windows Security") AND Eventtype = "4688" AND newprocessname IN ("\cmd.exe","\powershell.exe","\pwsh.exe") AND processname IN ("Cmd.Exe","PowerShell.EXE","pwsh.dll") AND parentprocessname IN ("\elevation_service.exe") AND securityid IN ("System","S-1-16-16384")

    Detection Query 2

    technologygroup = "EDR" AND newprocessname IN ("\cmd.exe","\powershell.exe","\pwsh.exe") AND processname IN ("Cmd.Exe","PowerShell.EXE","pwsh.dll") AND parentprocessname IN ("\elevation_service.exe") AND securityid IN ("System","S-1-16-16384")

    Detection Query 3

    resourcename in ("Sysmon") AND Eventtype = "1" AND Image IN ("\cmd.exe","\powershell.exe","\pwsh.exe") AND originalfilename IN ("Cmd.Exe","PowerShell.EXE","pwsh.dll") AND parentimage IN ("\elevation_service.exe") AND integritylevel IN ("System","S-1-16-16384")

    Detection Query 4

    technologygroup = "EDR" AND Image IN ("\cmd.exe","\powershell.exe","\pwsh.exe") AND originalfilename IN ("Cmd.Exe","PowerShell.EXE","pwsh.dll") AND parentimage IN ("\elevation_service.exe") AND integritylevel IN ("System","S-1-16-16384")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml        


    Tags

    SigmaMalwareCVE-2021Exploitation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.