Detect CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) in Google Chronicle
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook caused by improper input validation of hyperlinks using the 'file://' moniker protocol combined with an exclamation mark suffix. When a victim previews or opens a crafted email, Outlook follows the malicious link without the usual Protected View warning, leaking NTLM credentials via an outbound SMB connection and potentially enabling remote code execution. CVSS 9.8. Actively exploited in the wild (CISA KEV).
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_21413_monikerlink_rce {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-21413 MonikerLink RCE exploitation via Outlook SMB egress and child process spawn"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.process.file.full_path = /(?i)OUTLOOK\.EXE/
($network.target.port = 445 or $network.target.port = 139)
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.process.file.full_path = /(?i)OUTLOOK\.EXE/
$process.target.process.file.full_path = /(?i)(cmd|powershell|wscript|mshta|rundll32|regsvr32)\.exe/
$process.principal.hostname = $network.principal.hostname
match:
$network.principal.hostname over 5m
condition:
$network and $process
}Chronicle YARA-L rule correlating Outlook SMB network egress with subsequent child process spawning on the same host within 5 minutes, covering the CVE-2024-21413 full exploitation chain.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Outlook-initiated SMB connections to internal file servers followed by automation
- Office add-ins that spawn child processes for document processing
- Security tools that hook into Outlook and spawn scanning processes
- IT desktop management software that uses Outlook as an event trigger
Other platforms for CVE-2024-21413
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MonikerLink NTLM Credential Capture via Crafted Email
Expected signal: Windows Security Event ID 4776 on DC showing NTLM authentication from victim Outlook host to ATTACKER_IP. Sysmon Event ID 3 showing OUTLOOK.EXE network connection to ATTACKER_IP:445.
- Test 2Outlook Child Process Spawn via MonikerLink RCE Simulation
Expected signal: Sysmon Event ID 1 with ParentImage=OUTLOOK.EXE and Image=calc.exe (or substitute payload). DeviceProcessEvents in Defender ATP showing the process chain.
- Test 3MonikerLink Pattern Extraction and Email Header Analysis
Expected signal: Microsoft Defender for Office 365 EmailUrlInfo table entry with Url matching file://[IP]/[share]/[path]![suffix] pattern. Log ingestion into SIEM within 5-15 minutes.
- Test 4NTLM Hash Relay Attempt Post-Credential Capture
Expected signal: Windows Security Event ID 4624 (Type 3 network logon) on lab target using relayed credentials. Sysmon network events showing SMB connection from relay host to target. New process execution on target if relay succeeded.
References (4)
Unlock Pro Content
Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.