Under Review

Query for CVE-2021-40444 MSHTML Process Event

This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability.

This does NOT guarantee you've been breached but rather giving you a focused area of event logs to start your hunt on. Keep in mind you will need to be logging your audit events to see the process creation.

SELECT datetime(time, 'unixepoch','localtime') AS WinEventTimeStamp, datetime AS SystemTimeStamp, Source, eventID, task_message, executing_pid, executing_tid, data
FROM sophos_windows_events
WHERE eventID IS '4688'
AND data LIKE '%control.exe%'