Follina [CVE-2022-30190] OR MalDoc simulation plan | 01 June 2022

As per Microsoft's assessment, CVE-2022-30190 is categorized as a remote code execution vulnerability. This vulnerability emerges when MSDT is invoked through the URL protocol by a calling application, like MS Word.
An attacker who effectively exploits this vulnerability gains the ability to execute arbitrary code, utilizing the privileges of the calling application. This could permit the attacker to install applications, access, modify, or delete data, and even establish new user accounts within the scope of the user's permissions.

This simulation plan has been created to assess how your organization would respond to a full attack chain which would leverage Follina or MalDoc exploits. Step by step actions will be updated on this blog post.

1. Sending MalDoc created with Follina aka CVE-2022-30190 exploit.

To validate, email security systems and defenses

2. Execution of Follina/MSDT vulnerability from the DOCX/RTF file..

To validate, EDR/Anti-Virus and other host-based security products

To validate, Effectiveness of patching and mitigation controls

3. Fetching HTML file with C2 payload from target host.

To validate, Internet security controls and proxies

4. Downloading and executing HTML file contains Javascript and C2 executable payload with MSDT.

To validate, EDR and host-based security controls - Command Execution, LOLBIN, Downlaod and Execute.

To validate, Internet security controls and proxies

5. Establishing communication with Command and Control (C2) server.

To validate, Network security, Outbound connections, Internet security systems.

6. Adversary accessing the C2 server with C2 client..

Last updated on 23 Aug 2023

Go back to Blog and Random Thoughts