as subject
This thread was automatically locked due to age.
as subject
Hello Timothy,
Thank you for contacting the Sophos Community. Sophos has released the following news article regarding this vulnerability.
- https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/
Within the article the following AV detection names are outlined. You can also see "CXmail/CXweb" detections generated from matching files.
Exp/2140444-A
Troj/JSExp-W
Troj/Cabinf-A
Troj/Agent-BHRO
Troj/Agent-BHPO &
Intercept X has a behavioral detection that corresponds with the behavior of the exploit itself.
Any web-servers seen in the attacks will have their IP addresses re-classified as "C2" destinations, or "Malware/Callhome".
I did a live query with the suggested code from the article and it gives me
Complete, no data sent
for all endpoints.
The reg keys are not present. So there should be some message like "ActiveX setting does not match the Microsoft recommendation"
SELECT name, type, data, datetime(mtime, 'unixepoch', 'localtime') AS registryWriteTime,
CASE
WHEN data = '3' THEN 'ActiveX set to DISABLED as recommended by Microsoft'
ELSE 'ActiveX setting does not match the Microsoft recommendation'
END AS mitigationStatus
FROM registry
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1001'
OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1004'