Threat Coverage: How FortiEDR protects against CVE-2021-41379 exploitation

Introduction

On 09 November 2021, Microsoft released CVE-2021-41379, a local privilege escalation vulnerability that takes advantage of flaw(s) within the Windows Installer service. By exploiting this vulnerability an attacker can achieve local arbitrary code execution as SYSTEM. This vulnerability is present in all currently supported version of Windows including server versions. This vulnerability was originally identified and reported to Microsoft by Abdelhamid Naceri as part of the Trend Micro Zero Day Initiative.

Earlier this week Microsoft released their November 2021 monthly security rollup which was supposed to patch this vulnerability. Unfortunately, the patch was ineffective at removing the vulnerability. Abhelhamid Naceri (klinix5), the original vulnerability discloser, has since released PoC code for the vulnerability, including source code so it can be rebuilt or extended to provide additional functionality. The ‘vanilla’ version of this particular POC alters the access permissions for a target file to allow user access. PoCs for widespread vulnerabilities such as this are invaluable in enabling the cyber security community to adapt security solutions to ensure endpoints remain secure. The PoC used as part of this testing is available here: https://github.com/klinix5/InstallerFileTakeOver

This article outlines how FortiEDR is able to detect and mitigate attempts to exploit this vulnerability using behavioral detections, machine learning and sandboxing regardless of changes or extensions to the PoC as demonstrated below.

To demonstrate, FortiEDR was installed on a Windows 10 test host. The public release of klinix5’s PoC was executed on the test host and used to attempt to gain system level access to a test file. In this test PowerShell was used to launch ‘InstallerFileTakeover.exe’ with the target file as ‘resource.h’. For this test FortiEDR was put into ‘Simulation’ mode to demonstrate the full breadth of detections that prevent the exploitation of this vulnerability from being effective. Figure 1 below shows the events generated as a result of this PoC code.

Figure 1. View of FortiEDR console showing events related to execution of the CVE-2021-41379 POC code executable.

 From the Event Graph at the bottom of the interface we can see the process tree showing PowerShell launching ‘InstallerFileTakeOver.exe’ which in turn launches a ‘msiexec.exe’ child process. This msiexec child process can then be seen triggering the ‘Access to critical system information’ rule as part of the ‘Exfiltration Policy’, one of FortiEDR’s post-exploitation policies. As outlined in the rule description this rule is triggered when a process attempted to access credentials, passwords or other critical information in a suspicious manner. This rule may have been triggered by a malicious process or by a user attempting to get higher credentials for lateral movement or to elevate privileges. In the case of this detection, FortiEDR detects the exploit attempting to elevate privileges.

In addition to detecting the anomalous privilege escalation attempt machine learning components that form part of Fortinet Cloud Services (FCS) flagged the unknown sample as Malicious with a medium likelihood of being a PUP. This can be seen in Figure 2 below. This classifications as PUP would have prevented the sample from executing and effectively accessing credentials if FortiEDR was in protect mode.

Figure 2. FCS Automated Analysis data is displayed through the FortiEDR interface, describing why the POC was initially flagged as a PUP, then as malicious.

In addition to the FCS machine learning classification, once the FCS sandbox analysis had completed (approximately 10 minutes later) the sample was correctly identified as exploiting CVE-2021-41379 and was reclassified as malicious. The reclassification can be observed at the top left of Figure 2 and the correct identification can be observed in Figure 3 below, which shows the FCS sandbox assessment of the sample. This reclassification would have triggered any playbooks configured in a FortiEDR environment to take action on malicious file event which could result in the file being quarantined, the affected endpoint being isolated or the file being deleted. This allows the end user to automate cleanup of malicious files like this.

Figure 3. FCS sandbox classification successfully identifying and classifying indicators of the CVE-2021-41379 exploit.

Mitigating with FortiEDR

All events detected above will be blocked by FortiEDR if configured in Protection mode with the following policies and rules enabled:

Threat Hunting

The sample analyzed as part of this KB was taken directly from klinix5’s POC resulting in some interesting telemetry IOCs that can be used to track non-modified versions of this POC. Whilst a skilled adversary may adapt the POC code for their own purposes and to remove these IOCs, low tier actors who we often see integrating POCs into their workflows shortly after release are unlikely to have the skill or need to do this. Some of these interesting indicators and associated FortiEDR Threat Hunting queries are shown below. Note that whilst these queries will detect the use of this POC or recompiled versions with minor changes, they may not be 100% effective at detecting all exploitation of CVE-2021-41379 exploitation.

Detect file creation in POC specific folder

As part of the POC exploit a file called notepad.exe is created, written too and then deleted from a unique directory in the users temp folder. This unique directory is created in the users temp directory for each execution of the POC with path  ‘<Drive>\Users\<user>\AppData\Local\Temp\<{unique GUID per execution}>\microsoft plz’. The following query can be used to identify this unique file create event through the FortiEDR Threat Hunting feature.

Type:"File Create" AND Target.File.Path:("\\AppData\\Local\\Temp\\" AND "\\microsoft plz\\notepad.exe")

Figure 4. Example output of above FortiEDR Threat Hunting query being used to identify instances of the POC being used to take control of some test files.

The returned Threat Hunting events provide a number of useful pivots allowing an analyst to identify the executable name, path and hash of the executable containing the exploit as well as the user context in which it was executed. This can support manual retrieval efforts, identification of similar files within a network and quick identification of potentially compromised user accounts. The ‘Source Process Command Line’ field will also indicate the file targeted for takeover, for the highlighted event in Figure 4 this is ‘C:\Windows\system.ini’.

Detect unsigned msiexec parent

The premise of this functionality is the misuse of msiexe.exe for LPE. The POC in its current form is an unsigned binary. Based on analysis of msiexec behaviour in a number of test environments, typically legitimate installers are signed with valid signatures. We can use this characteristic to identify usage of this POC and more generic anomalous msiexec usage. Figure 5 below is an example of the result returned in the test environment for the query across 30 days of test data with no false positives despite extensive msiexec usage.

Type:"Process Creation" AND Target.Process.Name:"msiexec.exe" AND Source.Process.File.Signed: ("false")

Figure 5. Example output of second provided FortiEDR Threat Hunting query being used to identify anomalous msiexec processes that could be related to this POC.

The returned ‘Process Creation’ threat hunting events contain a number of useful pivots. The parent process of msiexec will be the POC binary and the event will include the path to the parent process, the executing user context and the commandline arguments for the POC process which reveals the file targeted for takeover. The ‘Process Creation’ event type also contains the hash of the POC which can be used to quickly search the environment for other compromised hosts. Note that not all msiexec ‘Process Creation’ events returned by this query may be related to this CVE-2021-41379 POC so verify against other indicators before taking action.

MITRE ATT&CK Mappings

TA0004 – Privilege Escalation

TA0005 - Defense Evasion