Threat Hunting//
Threat Hunting Case Study: FileFix
FileFix bypasses Mark of the Web (MotW) protections by hijacking the Windows File Explorer address bar. Here is how to hunt for it.
InstallerFileTakeover (CVE-2021-41379) is a local privilege escalation vulnerability in Windows systems, which enables an attacker to elevate privileges on fully patched Windows 10, 11, and Server systems. This vulnerability was identified by the security researcher Abdelhamid Naceri, who posted a Proof-of-Concept exploit to their Github page in late November 2021.
This Proof-of-Concept works by overwriting the discretionary access control list (DACL) for Microsoft Edge Elevation Service in order to replace any executable on the system with an MSI installer file. This enables an attacker to execute code with SYSTEM level privileges, and then perform further actions on objectives - such as lateral movement, persistence, installing additional malware, etc.
Talos, the threat intelligence group at Cisco, states that they have already detected malware samples in the wild that are attempting to take advantage of CVE-2021-41379. Due to the complexity of this vulnerability, there are no mitigation steps at this time.
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
