Let’s Defend Follina 0-Day Detected Write Up

If you have a free trialer account at let’s defend, the first day of every month is like Christmas for you. Because they loads 15 free investigation on your account.

Follina is very interesting investigation for me. So Let’s deep dive into 0-Day investigation.

Microsoft Explaining Vulnerability at Their Official Website

We have information about the file hash. We will investigate firstly suspicious file at virustotal.

Community

We can see follina flag for this hash and FileScanIO confirmed exploit CVE.

RELATION

This is DOCX file and we can see C2 adresses relation with malicious file.

I do not like “Define Threat Indicator” options on Let’s Defend because can not define our activity mostly.

Answer: Unknown or unexpected services and applications configured to launch automatically on system boot.

When we check the process history msdt.exe looks suspiciously because msdt short for Microsoft Support Diagnostics Tool. Virustotal confirmed this suspicious tool when we checked.

This process executed Base64 code. When we decode the code we can see the command.

Decoded base64 code verified our cmd.exe process also.

Malicious activity checked from Process history and verified. Malware not quarantined/cleaned is looks true.

Not Quarantined

It is malicious activity but we have to check another platform for firm information.

We have to open this file on virtualization platform. Do not download your host machine directly.

File Password: infected

At the Anyrun report , we can see CVE number. File confirmed “Malicious”.

This activities show us this file is malicious.

Last question is asking C2 connection. We can check this question from log management field.

Destination Ip and destination url is malicious and allowed from host machine.

Answer: Accessed

We will containment machine from Endpoint Security and giving gathered information.

It was enjoyable case.

Thank you for reading.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Orhan Öztaş

Blue Team Member. I am writing articles for helping you about cyber security.