Skip to content

Instantly share code, notes, and snippets.

@d4rk-d4nph3

d4rk-d4nph3/KQL!CVE-2022-21882.md

Last active February 5, 2022 17:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save d4rk-d4nph3/bb83d94fbb7b0fe9c2d8a9c52d7088fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save d4rk-d4nph3/bb83d94fbb7b0fe9c2d8a9c52d7088fc to your computer and use it in GitHub Desktop.
Download ZIP
KQL Query for CVE-2022-21882 Detection
Raw
KQL!CVE-2022-21882.md

Background

  • CVE-2022-21882 is a Win32K LPE vulnerability.
  • CVE-2022-21882 bypasses CVE-2021-1732.
  • Microsoft had patched CVE-2021-1732 back in February's patch tuesday of last year.
  • Microsoft had patched CVE-2022-21882 just recently in January's patch tuesday.
  • CVE-2022-21882's PoC is now public.

Detection

Generic LPE detection query works for detecting exploitation of CVE-2022-21882 too. The power of MDE shines here due to two reasons:

  • Availability of grandparent process.
  • Availability of parent process's integrity level. (Sysmon does not have it for the parent process)

Due to these reasons, no expensive joins are required for our detection!

let timeframe = 7d;
DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where InitiatingProcessParentFileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe") // Grandparent process
| where InitiatingProcessIntegrityLevel != "System"
| where ProcessIntegrityLevel == "System"
// You may need to whitelist processes depending upon your environment.
| project ProcessCommandLine, ProcessIntegrityLevel, InitiatingProcessFileName, 
          InitiatingProcessIntegrityLevel, InitiatingProcessParentFileName, InitiatingProcessCommandLine

Results

ProcessCommandLine ProcessIntegrityLevel InitiatingProcessFileName InitiatingProcessIntegrityLevel InitiatingProcessParentFileName InitiatingProcessCommandLine
whoami.exe System CVE-2021-1732.exe Medium cmd.exe "CVE-2021-1732.exe "whoami.exe""
whoami.exe /all System CVE-2021-1732.exe Medium cmd.exe "CVE-2021-1732.exe "whoami.exe /all""

PS: Compiling the PoC in Visual Studio generates the exploit named CVE-2021-1732.exe.

MDE Alert

MDE states it detected CVE-2021-1732 in its alert. This is understandable since CVE-2022-21882 is a bypass of CVE-2021-1732.

Timestamp (UTC) AlertId Title Category Severity ServiceSource DetectionSource AttackTechniques
2022-01-29T13:47:15.3471825Z da637790609308226272_-1364613152 Possible exploitation of CVE-2021-1732 Exploit High Microsoft Defender for Endpoint Antivirus
2022-01-29T13:47:15.3471825Z da637790609305584353_1017553236 'Consoler' high-severity malware was detected Malware High Microsoft Defender for Endpoint Antivirus
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment