Detect CVE-2024-21413: Microsoft Outlook RCE via Moniker Link (MonikerLink) in IBM QRadar
CVE-2024-21413 is a critical remote code execution vulnerability in Microsoft Outlook caused by improper input validation of hyperlinks using the 'file://' moniker protocol combined with an exclamation mark suffix. When a victim previews or opens a crafted email, Outlook follows the malicious link without the usual Protected View warning, leaking NTLM credentials via an outbound SMB connection and potentially enabling remote code execution. CVSS 9.8. Actively exploited in the wild (CISA KEV).
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
"Image" AS process_image,
"ParentImage" AS parent_image,
"CommandLine" AS command_line,
QIDNAME(qid) AS event_name,
logsourcename(logsourceid) AS log_source
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon', 'Microsoft Defender ATP')
AND (
("ParentImage" ILIKE '%OUTLOOK.EXE%' AND "Image" ILIKE ANY ('%cmd.exe%', '%powershell.exe%', '%wscript.exe%', '%mshta.exe%', '%rundll32.exe%', '%regsvr32.exe%'))
OR ("Image" ILIKE '%OUTLOOK.EXE%' AND destinationport IN (445, 139))
)
AND LOGSOURCESTARTTIME(devicetime) > NOW() - 7 DAYS
ORDER BY starttime DESC
LAST 10000QRadar AQL detecting Outlook-initiated SMB egress and suspicious child processes spawned by Outlook, covering the primary CVE-2024-21413 exploitation indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate internal file share access initiated through Outlook email links in corporate environments
- Help desk or IT automation scripts launched via Outlook scheduled emails
- Document management plugins that spawn helper processes under Outlook
- SIEM-integrated security tooling that processes email events and forks processes
Other platforms for CVE-2024-21413
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MonikerLink NTLM Credential Capture via Crafted Email
Expected signal: Windows Security Event ID 4776 on DC showing NTLM authentication from victim Outlook host to ATTACKER_IP. Sysmon Event ID 3 showing OUTLOOK.EXE network connection to ATTACKER_IP:445.
- Test 2Outlook Child Process Spawn via MonikerLink RCE Simulation
Expected signal: Sysmon Event ID 1 with ParentImage=OUTLOOK.EXE and Image=calc.exe (or substitute payload). DeviceProcessEvents in Defender ATP showing the process chain.
- Test 3MonikerLink Pattern Extraction and Email Header Analysis
Expected signal: Microsoft Defender for Office 365 EmailUrlInfo table entry with Url matching file://[IP]/[share]/[path]![suffix] pattern. Log ingestion into SIEM within 5-15 minutes.
- Test 4NTLM Hash Relay Attempt Post-Credential Capture
Expected signal: Windows Security Event ID 4624 (Type 3 network logon) on lab target using relayed credentials. Sysmon network events showing SMB connection from relay host to target. New process execution on target if relay succeeded.
References (4)
Unlock Pro Content
Get the full detection package for CVE-2024-21413 including response playbook, investigation guide, and atomic red team tests.