Click with Caution: The Moniker Link Vulnerability (CVE-2024-21413) Exposed | Threat Snapshot
Did you catch the Moniker Link vulnerability from Microsoft's recent "Patch Tuesday"? It's not often that a 9.8 CVSS remote code execution flaw is identified in one of Microsoft's products. But does it live up to the hype? Tracked as CVE-2024-21413, this security flaw could lead to NTLM credential theft and potentially allow remote code execution through manipulated hyperlinks in Microsoft Outlook. The flaw underscores the risks associated with the Component Object Model (COM) in Windows and prompts a broader conversation on the security of software that utilizes COM APIs insecurely. In the latest Threat SnapShot, we'll break down how the attack works and what artifacts it leaves behind, helping to create behavioral detections and hunting queries to protect your organization.
References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
- https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/
- https://twitter.com/_Omer_GG/status/1758137072215523717
SnapAttack Resources:
- https://app.snapattack.com/threat/679f7447-ae80-5ab3-095c-f4441bfc3b59 - Threat: CVE-2024-21413 Outlook MonikerLink Exploitation
- https://app.snapattack.com/detection/e2f6d594-ca8a-4ecb-9f89-cd3bb93b9d0a - Detection: MonikerLink Exploitation
- https://app.snapattack.com/detection/1a28d3ad-852d-47b9-8b30-ca8f3242ac02 - Detection: Suspicious SMB Connection as System
- https://app.snapattack.com/detection/b8291bf0-7c50-47e7-8391-f9318dfe4ec8 - Detection: Suspicious Outlook Child Process
- https://app.snapattack.com/detection/f1f0fe1f-d322-4c31-b575-3ef57d039548 - Detection: Office Application Initiated Network Connection To Non-Local IP