Query Details

Defending Against Windows Internet Shortcut Files Security Feature Bypass Vulnerability CVE 2024 21412

Query

//Defending against Windows Internet Shortcut Files Security Feature Bypass Vulnerability (CVE-2024-21412)
//https://www.linkedin.com/pulse/defending-against-windows-internet-shortcut-files-security-steven-lim-tbnoe/

UrlClickEvents
| where Timestamp > ago (1h)
| where UrlChain matches regex "https?://.+\\.url(\\?.*)?(#.*)?$" 

// MITRE ATT&CK Mapping

// The query seems to focus on detecting potentially malicious URL clicks, which can be associated with the following MITRE ATT&CK techniques:

// T1071.001 - Application Layer Protocol: Web Protocols:
// This technique involves adversaries using web protocols to communicate with compromised systems. Detecting specific URL patterns can help identify such communications1.

// T1204.001 - User Execution: Malicious Link:
// This technique involves users executing malicious links. By filtering URL click events, you can detect instances where users might have clicked on suspicious or malicious URLs2.

// T1566.002 - Phishing: Spearphishing Link:
// This technique involves adversaries sending emails with malicious links. Monitoring URL click events can help detect when users click on links that might be part of a phishing campaign3.

Explanation

This query is designed to detect potentially malicious URL clicks that could exploit a specific vulnerability in Windows Internet Shortcut Files (CVE-2024-21412). It focuses on identifying URL click events that occurred within the last hour and match a particular pattern indicative of suspicious URLs ending with ".url".

The query is aligned with several MITRE ATT&CK techniques:

  1. T1071.001 - Application Layer Protocol: Web Protocols: It helps identify when adversaries use web protocols to communicate with compromised systems by detecting specific URL patterns.

  2. T1204.001 - User Execution: Malicious Link: It aims to detect instances where users might have clicked on suspicious or malicious links by filtering URL click events.

  3. T1566.002 - Phishing: Spearphishing Link: It assists in identifying when users click on links that could be part of a phishing campaign, particularly those sent via email.

Overall, the query is a proactive measure to monitor and potentially mitigate threats associated with malicious URL activity.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

UrlClickEvents

Keywords

UrlClickEventsTimestampChainRegexClicksMitreAttackTechniquesApplicationLayerProtocolWebProtocolsUserExecutionMaliciousLinkPhishingSpearphishing

Operators

agomatches regexwhere

Actions

GitHub