Skip to content

T1204 User Execution MonikerLink

DESCRIPTION

Detects potential MonikerLink exploit CVE-2024-21413 activity by looking for certain strings in URLs

Related

Microsoft Outlook CVE-2024-21413

Reference

https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability?tab=readme-ov-file

ATT&CK TACTICS

T1204 - User Execution

Data Source(s): Network Traffic

SENTINEL RULE QUERY

1
2
3
4
5
union isfuzzy=true 
(EmailUrlInfo
| where Url matches regex @".*file:.*!"),
(union  DeviceNetworkEvents, DeviceEvents
| where RemoteUrl matches regex @".*file:.*!")

Triage

  1. Inspect URL links to identify malicious activity

Version

Version 1.0 (date 19/2/2024)