I did a live query with the suggested code from the article and it gives me
Complete, no data sent
for all endpoints.
The reg keys are not present. So there should be some message like "ActiveX setting…
Thank you for contacting the Sophos Community. Sophos has released the following news article regarding this vulnerability. - https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/
Within the article the following AV detection names are outlined. You can also see "CXmail/CXweb" detections generated from matching files.
Exp/2140444-A Troj/JSExp-W Troj/Cabinf-ATroj/Agent-BHROTroj/Agent-BHPO &
Intercept X has a behavioral detection that corresponds with the behavior of the exploit itself.
Any web-servers seen in the attacks will have their IP addresses re-classified as "C2" destinations, or "Malware/Callhome".
Thanks for your reply.
The reg keys are not present. So there should be some message like "ActiveX setting does not match the Microsoft recommendation"
SELECT name, type, data, datetime(mtime, 'unixepoch', 'localtime') AS registryWriteTime,
WHEN data = '3' THEN 'ActiveX set to DISABLED as recommended by Microsoft'
ELSE 'ActiveX setting does not match the Microsoft recommendation'
END AS mitigationStatus
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1001'
OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1004'
Thanks love it.