Let’s Defend Follina 0-Day Detected Write Up
--
If you have a free trialer account at let’s defend, the first day of every month is like Christmas for you. Because they loads 15 free investigation on your account.
Follina is very interesting investigation for me. So Let’s deep dive into 0-Day investigation.
We have information about the file hash. We will investigate firstly suspicious file at virustotal.
We can see follina flag for this hash and FileScanIO confirmed exploit CVE.
This is DOCX file and we can see C2 adresses relation with malicious file.
I do not like “Define Threat Indicator” options on Let’s Defend because can not define our activity mostly.
Answer: Unknown or unexpected services and applications configured to launch automatically on system boot.
When we check the process history msdt.exe looks suspiciously because msdt short for Microsoft Support Diagnostics Tool. Virustotal confirmed this suspicious tool when we checked.
This process executed Base64 code. When we decode the code we can see the command.
Decoded base64 code verified our cmd.exe process also.
Malicious activity checked from Process history and verified. Malware not quarantined/cleaned is looks true.
It is malicious activity but we have to check another platform for firm information.
We have to open this file on virtualization platform. Do not download your host machine directly.
File Password: infected
At the Anyrun report , we can see CVE number. File confirmed “Malicious”.
This activities show us this file is malicious.
Last question is asking C2 connection. We can check this question from log management field.
Destination Ip and destination url is malicious and allowed from host machine.
Answer: Accessed
We will containment machine from Endpoint Security and giving gathered information.
It was enjoyable case.
Thank you for reading.
