Detecting CVE-2021–41379 using EQL

Microsoft’s patch for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41379 was apparently done on a bumpy taxi ride and we now have an exploit that can do local privilege escalation with very few mitigations.

If you use Elastic Agents on your fleet you can detect exploitation of this using the following EQL query. Please note that this is a work-in-progress (although due to the severity of this bug a noisy detection might be better than getting owned) :

1sequence with maxspan=30s
2[file where file.name  == "elevation_service.exe" and event.action == "overwrite" ]
3[process where process.name: "cmd.exe" and user.name: "SYSTEM" and process.parent.name: "elevation_service.exe" and event.action: "start" ]
Copy

Obviously there are quite a few assumptions here :

-I’m assuming the exploit needs to change the elevation_service file to work

-I’m assuming that they’re spawning cmd.exe (they could spawn any process)

The path of the changed file could be specified — come and work on the rule with the Elastic community at https://github.com/elastic/detection-rules/issues/1628

Picture courtesy Patrick Federi