by Bhabesh Raj Rai, Security Research
On May 27, 2022, a security researcher highlighted a malicious document submitted to VirusTotal from Belarus. The document used Microsoft Office’s remote template feature to download an HTML file remotely and subsequently load it, which executed a PowerShell payload via the Microsoft Support Diagnostic Tool (MSDT). Adversaries who can exploit the vulnerability successfully can run arbitrary code with the privileges of the calling application. Microsoft was already informed of the flaw’s use in the wild in April but did not consider the flaw a security issue.
Analysis of the malicious document revealed a “zero-day” vulnerability, nicknamed Follina, in Windows’s MSDT URL Protocol. Office applications can virtually execute PowerShell code by proxy via the ms-msdt URL scheme. A URL scheme is a specification that links URLs to specific applications. For example, a user who clicks on a URL scheme (e.g., slack://) will open the corresponding application (Slack).
Three days later, Microsoft issued the flaw CVE-2022-30190, with a CVSS score of 7.8 out of 10, and released corresponding guidance. The vulnerability is similar to another RCE zero-day (CVE-2021-40444) in Microsoft MSHTML. Security researchers have found the exploit to be in use since April.
Administrators should note that this vulnerability does not rely on macros, so its exploitation does not depend on whether or not macros are disabled.
The vulnerability is so dangerous because an adversary can simply use its RTF flavor to bypass Protected View and Application Guard for Office as Windows automatically opens the RTF file via Explorer’s preview tab feature.
Several working PoCs are publicly available. Security researchers have found RTF versions to be working even on the latest Office 365 version. In one case, the adversary used Follina to deliver a Cobalt Strike payload.
Follina fast facts
- Microsoft has not released any patch to fix the zero-day
- Microsoft Support Diagnostic Tool (MSDT) exists on every default Windows installation
- The flaw lies in MSDT, and there are other methods to exploit it other than Microsoft Office
- RTF version bypasses Protected View and Application Guard for Office
- One of the best mitigation methods is to disable the preview pane in Windows Explorer
Log sources needed
- Windows
Detecting exploitation in Logpoint
Analysts need to look for the spawning of the MSDT process by Office applications. To reduce false positives (if any), we can further search for the use of the ms-msdt scheme, as shown below.
label="Process" label=Createparent_process IN ["*\winword.exe", "*\excel.exe", "*\outlook.exe"]"process"="*\msdt.exe" command IN ["* ms-msdt:/id *", "* ms-msdt:-id *"] command="*IT_RebrowseForFile=*IT_BrowseForFile=*"| chart count() by host, user, parent_process, "process", command, parent_command
Searching for Follina artifacts in process creation events
Microsoft Defender has an attack surface reduction rule (ASR) that blocks Office applications from spawning child processes. If administrators have enabled the ASR rule, they can look for triggers of the specific ASR rule.
norm_id=WinServer label=Attack label=Surface label=Reduceinvolved_file="*IT_RebrowseForFile=*IT_BrowseForFile=*"rule_id IN ["D4F940AB-401B-4EFC-AADC-AD5F3C50688A", "26190899-1602-49e8-8b27-eb1d0a1ce869"]| process eval("rule=if(rule_id == 'D4F940AB-401B-4EFC-AADC-AD5F3C50688A'){ return 'Block all Office applications from creating child processes'}")| process eval("rule=if(rule_id == '26190899-1602-49E8-8B27-EB1D0A1CE869'){ return 'Block Office communication application from creating child processes'}")| chart count() by host, user, rule, "process", involved_file, path
Searching for Follina artifacts in Microsoft Defender’s ASR trigger events
Microsoft has released signatures for Defender for detecting Follina. Administrators need to make sure they forward Defender’s events (Microsoft-Windows-Windows Defender/Operational) to Logpoint.
norm_id=WinServer label=Threat label=Detectthreat IN "Trojan:Win32/Mesdetty.A", "Trojan:Win32/Mesdetty.B", "Behavior:Win32/MesdettyLaunch.A", "Behavior:Win32/MesdettyLaunch.B", "Behavior:Win32/MesdettyLaunch.C"
MSDT uses sdiagnhost.exe (Scripted Diagnostics Native Host) to channel executions. We advise analysts to monitor suspicious child processes of sdiagnhost.exe. To reduce false positives, they may need to put some legitimate processes in the allow list.
label="Process" label=Create parent_process="*\sdiagnhost.exe""process" IN ["*\cmd.exe", "*\powershell.exe", "*\powershell_ise.exe", "*\wscript.exe", "*\cscript.exe", "*\rundll32.exe", "*\regsvr32.exe"]| chart count() by host, user, "process", parent_command, command
Searching for suspicious child processes of sdiagnhost.exe
On the network side, analysts can hunt for fetching of HTML files by Office applications by looking for the presence of their user-agent in network events.
device_category IN [Firewall, ProxyServer, IDS] url="*.html"user_agent="*; ms-office; *" request_method=GET
Searching for Office application’s user-agents in HTTP events
Mitigations to prevent Follina exploitation
Since no patch is available, we strongly advise administrators to assess and place the following mitigations to prevent Follina exploitation.
- Disable the MSDT URL Protocol via registry
- Disable the preview plane in Windows Explorer
- Configure the ASR rule to block office applications from spawning processes
- Disable the use of Windows’s troubleshooting wizards via GPO
MSDT creates PCW.debugreport.xml file in %LOCALAPPDATA%\Diagnostics and %LOCALAPPDATA%\ElevatedDiagnostics directories after the user closes the troubleshooting window. The file contains Follina artifacts that may help during incident response.
So far, Microsoft is quiet regarding a timeline for the patch. We have seen how many enterprises are still using old versions of Microsoft Office. Now is the time for administrators to assess what versions of Office are being used in the enterprise and create a patching process. Although Office’s protection features—Protected View and Application Guard for Office—do not entirely block Follina exploitation, we advise administrators to ensure they are enabled and not wholly rely on them.