This month it was disclosed that a Microsoft vulnerability that allows for local privilege elevation, previously patched in the November 2021 Patch Tuesday, is still exploitable and was not patched correctly. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
Figure 1. MITRE ATT&CK Matrix for Windows Zero-Day in MVISION Insights
The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. At the time of writing, Microsoft has not released any updates or out-of-band patches to resolve it.
CVE-2021-41379 – Microsoft Windows Installer Elevation of Privilege Vulnerability
McAfee Enterprise Protections and Global Detections
McAfee Enterprise Global Threat Intelligence is currently detecting all known proof of concept exploits for this zero-day vulnerability as malicious.
Blocking Exploitation Attempts with McAfee Enterprise ENS
McAfee Enterprise Endpoint Security (ENS) is currently detecting exploitation attempts and will quarantine the tools utilized to exploit this vulnerability as shown below.
Figure 2. Story Graph summary of exploitation detection by McAfee Enterprise ENS shown in MVISION ePO
Detecting Exploitation Activity with MVISION EDR
MVISION Endpoint Detection and Response (EDR) is currently alerting to the activity of this exploitation as malicious and will note the MITRE techniques and any suspicious indicators related to the exploit attempts.
Figure 3. Detection of zero-day exploitation activity and techniques in MVISION EDR
Threat Intelligence for Exploitation IOCS with MVISION Insights
MVISION Insights will provide the current threat intelligence and known indicators for exploitation of this vulnerability. MVISION Insights will also alert to detections that have been observed, and systems that require additional attention, to prevent widespread infection. MVISION Insights will also include Hunting Rules and Campaign Connections for threat hunting and further intelligence gathering of the threat activity and adversary.
MVISION Insights Campaign: New Windows Zero-Day CVE-2021-41379 With Public Exploit Lets You Become an Admin
Figure 4. Global Prevalence of zero-day exploitation activity in MVISION Insights
Figure 5. Exploitation IOCs and Detections in MVISION Insights
McAfee Enterprise offers Threat Intelligence Briefings along with Cloud Security and Data Protection workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.