cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aneta5
Level 9
Report Inappropriate Content
Message 1 of 24
‎05-31-2022 06:53 AM

CVE-2022-30190 - follina

Jump to solution
Hi, Does anyone have some rules that could be implemented to prevent https://www.cyber.gov.au/acsc/view-all-content/alerts/exploitation-microsoft-office-vulnerability-fo... Thanks
6 people had this problem.
Reply
3 Solutions

Accepted Solutions
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 24
‎05-31-2022 07:31 AM

Re: CVE-2022-30190 - follina

Jump to solution

Well I can't link to their Github, so here is a copy and passte:

 

Rule {
    Process {
        Include OBJECT_NAME { -v "WINWORD.exe" }
        Include OBJECT_NAME { -v "EXCEL.exe" }
        Include OBJECT_NAME { -v "OUTLOOK.exe"}
    }
    Target {
        Match PROCESS {
            Include OBJECT_NAME { -v "msdt.exe" }
            
            Include -access "CREATE"
        }
    }
}

View solution in original post

Reply
tbloudek
Level 8
Report Inappropriate Content
Message 5 of 24
‎05-31-2022 11:33 PM

Re: CVE-2022-30190 - follina

Jump to solution

Can it look like this (?)

Endpoint Security Threat Prevention : Policy Category > Access Protection > 

follinaENS-TP.PNG

View solution in original post

Reply
tbloudek
Level 8
Report Inappropriate Content
Message 9 of 24
‎06-01-2022 12:51 AM

Re: CVE-2022-30190 - follina

Jump to solution


Another aproach using expert rule in Exploit prevention (mentione before the "copy-past-code" and the link to the "how to") could be like this?
Výstřižek.PNGPoznámka 2022-06-01 094700.png

View solution in original post

Reply
23 Replies
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 24
‎05-31-2022 07:31 AM

Re: CVE-2022-30190 - follina

Jump to solution

Well I can't link to their Github, so here is a copy and passte:

 

Rule {
    Process {
        Include OBJECT_NAME { -v "WINWORD.exe" }
        Include OBJECT_NAME { -v "EXCEL.exe" }
        Include OBJECT_NAME { -v "OUTLOOK.exe"}
    }
    Target {
        Match PROCESS {
            Include OBJECT_NAME { -v "msdt.exe" }
            
            Include -access "CREATE"
        }
    }
}
Reply
aneta5
Level 9
Report Inappropriate Content
Message 3 of 24
‎05-31-2022 07:43 AM

Re: CVE-2022-30190 - follina

Jump to solution

Thanks!

Can you please translate this into Access Protection rules?

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 24
‎05-31-2022 07:52 AM

Re: CVE-2022-30190 - follina

Jump to solution

I generally wouldn't if I were you..  you lose command line information, which is helpful for IR.  Access Protection and Expert Rules both use the AAC engine, so it doesn't change performance or anything, other than the bit for extra logged data.  However, if you must, set the parent as the top set of process and the sub rule as a process rule with msdt.exe as the target.  

0 Kudos
Reply
tbloudek
Level 8
Report Inappropriate Content
Message 5 of 24
‎05-31-2022 11:33 PM

Re: CVE-2022-30190 - follina

Jump to solution

Can it look like this (?)

Endpoint Security Threat Prevention : Policy Category > Access Protection > 

follinaENS-TP.PNG

Reply
cheetah
Level 10
Report Inappropriate Content
Message 6 of 24
‎06-01-2022 12:00 AM

Re: CVE-2022-30190 - follina

Jump to solution
Here is an explanation:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-mal...
Reply
emrahtolu
Level 7
Report Inappropriate Content
Message 7 of 24
‎06-01-2022 12:05 AM

Re: CVE-2022-30190 - follina

Jump to solution

What did you choose as a rule here? 

operations
--any access
--create thread
--change
--terminate
--run

0 Kudos
Reply
tbloudek
Level 8
Report Inappropriate Content
Message 8 of 24
‎06-01-2022 12:25 AM

Re: CVE-2022-30190 - follina

Jump to solution

I choose them all, ...since I am not sure what I am doing 🙂 no previous experience, so pls take it with no assurance 🙂 best we wait for official McAfee solution

Reply
tbloudek
Level 8
Report Inappropriate Content
Message 9 of 24
‎06-01-2022 12:51 AM

Re: CVE-2022-30190 - follina

Jump to solution


Another aproach using expert rule in Exploit prevention (mentione before the "copy-past-code" and the link to the "how to") could be like this?
Výstřižek.PNGPoznámka 2022-06-01 094700.png

Reply
tbloudek
Level 8
Report Inappropriate Content
Message 10 of 24
‎06-01-2022 12:58 AM

Re: CVE-2022-30190 - follina

Jump to solution

fyi, in the "how to" they mention the rule checker in GUI of MA-ENS-TP-show_advanced, it gave me "Rule compilation succeeded"rulechk.PNG

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC