Which SIEM platforms have a CVE-2025-21298 detection rule?

df00tech provides CVE-2025-21298 (CVE-2025-21298: Windows OLE RCE via Malicious RTF Document) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect CVE-2025-21298: Windows OLE RCE via Malicious RTF Document (CVE-2025-21298)?

Detecting CVE-2025-21298: Windows OLE RCE via Malicious RTF Document requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel.

What severity and confidence is the CVE-2025-21298 detection?

The CVE-2025-21298 detection is rated critical severity with high confidence.

What are common false positives for CVE-2025-21298?

Common false positives for CVE-2025-21298 include: Legitimate macro-enabled documents that spawn cmd.exe for business automation tasks; IT admin tools that use OLE embedding for legitimate deployment workflows; Security testing tools or red team exercises using RTF documents.

CVE-2025-21298: CVE-2025-21298: Windows OLE RCE via Malicious RTF Document — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let suspiciousRTFParents = dynamic(["winword.exe", "outlook.exe", "thunderbird.exe", "mimecast.exe", "explorer.exe"]);
let oleHosts = dynamic(["wordpad.exe", "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"]);
let suspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe"]);
union
(
  DeviceProcessEvents
  | where TimeGenerated >= ago(7d)
  | where InitiatingProcessFileName in~ (oleHosts)
  | where FileName in~ (suspiciousChildren)
  | extend CommandLineLower = tolower(ProcessCommandLine)
  | where CommandLineLower has_any ("http", "https", "ftp", "\\\\\\\\")
        or CommandLineLower has_any ("invoke-expression", "iex", "downloadstring", "webclient", "start-process", "-enc", "-encodedcommand", "bypass")
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, ReportId
  | extend DetectionReason = "OLE host spawned suspicious child process"
),
(
  DeviceFileEvents
  | where TimeGenerated >= ago(7d)
  | where InitiatingProcessFileName in~ (oleHosts)
  | where FileName endswith ".rtf" or FileName endswith ".doc" or FileName endswith ".docx"
  | where FolderPath has_any ("\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\", "\\ProgramData\\")
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, ReportId
  | extend DetectionReason = "OLE host wrote suspicious file to temp path"
),
(
  DeviceEvents
  | where TimeGenerated >= ago(7d)
  | where ActionType == "OleObjectLinkFollowed" or ActionType == "ExploitGuardNetworkProtectionAudited"
  | where InitiatingProcessFileName in~ (oleHosts)
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, ActionType, AdditionalFields, ReportId
  | extend DetectionReason = "OLE link or exploit guard event from Office host"
)
| summarize count() by TimeGenerated, DeviceName, AccountName, DetectionReason, ReportId
| sort by TimeGenerated desc

Detects CVE-2025-21298 OLE RCE exploitation by correlating Office/OLE host processes spawning suspicious child processes, writing files to temp paths, or triggering OLE link events. Covers both direct exploitation and post-exploitation activity from malicious RTF documents.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceEvents

False Positives

Legitimate macro-enabled documents that spawn cmd.exe for business automation tasks
IT admin tools that use OLE embedding for legitimate deployment workflows
Security testing tools or red team exercises using RTF documents
Document conversion utilities that spawn child processes as part of normal operation
Outlook add-ins that legitimately invoke shell commands via OLE

Splunk

spl

index=wineventlog OR index=sysmon sourcetype IN ("xmlwineventlog:microsoft-windows-sysmon/operational", "WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval event_id = coalesce(EventCode, event_id)
| where event_id IN ("1", "11", "7", "3")
| eval parent_lower = lower(ParentImage)
| eval image_lower = lower(Image)
| where (event_id="1" AND
    match(parent_lower, "(winword|excel|powerpnt|outlook|wordpad)\.exe$") AND
    match(image_lower, "(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic)\.exe$"))
  OR (event_id="1" AND
    match(parent_lower, "(winword|excel|powerpnt|outlook|wordpad)\.exe$") AND
    match(lower(CommandLine), "(invoke-expression|iex|downloadstring|webclient|-enc|-encodedcommand|bypass|http://|https://|ftp://)"))
  OR (event_id="11" AND
    match(parent_lower, "(winword|excel|powerpnt|outlook|wordpad)\.exe$") AND
    match(TargetFilename, "(?i)(\\AppData\\Local\\Temp|\\AppData\\Roaming|\\ProgramData)"))
  OR (event_id="3" AND
    match(parent_lower, "(winword|excel|powerpnt|outlook|wordpad)\.exe$") AND
    NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"))
| eval detection_reason = case(
    event_id="1" AND match(image_lower, "(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32)\.exe$"), "OLE host spawned suspicious child process",
    event_id="1" AND match(lower(CommandLine), "(invoke-expression|downloadstring|-enc)"), "OLE host executed encoded/download command",
    event_id="11", "OLE host wrote file to suspicious temp path",
    event_id="3", "OLE host made unexpected outbound network connection",
    true(), "OLE suspicious activity"
  )
| stats count by _time, ComputerName, User, ParentImage, Image, CommandLine, TargetFilename, DestinationIp, detection_reason
| sort - _time

Detects CVE-2025-21298 exploitation via Sysmon events: process creation (EID 1) from Office/OLE parent spawning suspicious children, file creation (EID 11) in temp paths, and network connections (EID 3) to external IPs from OLE hosts.

critical severity high confidence

Data Sources

Sysmon Windows Event Log

Required Sourcetypes

xmlwineventlog:microsoft-windows-sysmon/operational WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Business macros that spawn cmd.exe for legitimate automation
IT management tools using OLE for deployment workflows
Legitimate document conversion processes writing to temp directories
Security tools performing authorized testing with RTF documents
Office add-ins making legitimate outbound connections to known-good endpoints

Elastic Security (EQL)

eql

sequence by host.name, process.parent.pid with maxspan=2m
  [process where event.type == "start"
    and process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "wordpad.exe")
    and process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe")]
  [any where event.category in ("file", "network", "process") and
    (file.path like~ "*\\AppData\\Local\\Temp\\*" or
     file.path like~ "*\\ProgramData\\*" or
     network.direction == "outbound")]

EQL sequence detection for CVE-2025-21298: correlates OLE host process spawning a suspicious child (within 2 minutes) followed by suspicious file writes to temp paths or outbound network connections, indicating successful RCE chain.

critical severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.network-*

False Positives

Macro-driven business automation spawning cmd.exe for legitimate tasks
IT deployment workflows using Office OLE embedding
Document processing pipelines writing output to temp directories
Add-ins making authorized outbound connections for licensing or telemetry
Red team or penetration testing activities in authorized environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process_name,
  "Command" AS command_line,
  "File Path" AS file_path
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Parent Process Name") IMATCHES '.*(winword|excel|powerpnt|outlook|wordpad)\.exe$'
     AND LOWER("Process Name") IMATCHES '.*(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$')
    OR
    (LOWER("Parent Process Name") IMATCHES '.*(winword|excel|powerpnt|outlook|wordpad)\.exe$'
     AND (LOWER("Command") IMATCHES '.*(invoke-expression|iex|downloadstring|webclient|-encodedcommand|-enc|bypass|http://|https://).*'))
    OR
    (LOWER("Parent Process Name") IMATCHES '.*(winword|excel|powerpnt|outlook|wordpad)\.exe$'
     AND LOWER("File Path") IMATCHES '.*(appdata\\local\\temp|appdata\\roaming|programdata).*')
  )
  AND QIDNAME(qid) IN ('Process Creation', 'File Created', 'Network Connection')
LAST 7 DAYS
ORDER BY devicetime DESC

QRadar AQL query for CVE-2025-21298: identifies Office/OLE parent processes spawning suspicious children, executing encoded commands, or writing to sensitive paths, sourced from Windows Security Event Log and Sysmon.

critical severity medium confidence

Data Sources

QRadar Windows Security Event Log Sysmon

Required Tables

events

False Positives

Macro-based business processes invoking shell commands for automation
Legitimate third-party Office add-ins writing temporary files
IT-managed software deployment using OLE-embedded scripts
Authorized penetration testing or red team exercises
Document conversion services writing to temp paths during normal processing

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "11", "3")
| parse field=ParentImage "*" as parent_process nodrop
| parse field=Image "*" as child_process nodrop
| parse field=CommandLine "*" as command_line nodrop
| parse field=TargetFilename "*" as target_file nodrop
| where (
    matches(toLowerCase(parent_process), ".*winword\.exe|.*excel\.exe|.*powerpnt\.exe|.*outlook\.exe|.*wordpad\.exe")
    and (
      matches(toLowerCase(child_process), ".*cmd\.exe|.*powershell\.exe|.*wscript\.exe|.*cscript\.exe|.*mshta\.exe|.*rundll32\.exe|.*regsvr32\.exe|.*certutil\.exe")
      or matches(toLowerCase(command_line), ".*(invoke-expression|iex|downloadstring|webclient|-encodedcommand|-enc|bypass|http://|https://).*")
      or matches(toLowerCase(target_file), ".*(appdata\\local\\temp|appdata\\roaming|programdata).*")
    )
  )
| eval detection_category = if(
    matches(toLowerCase(child_process), ".*cmd\.exe|.*powershell\.exe"), "Suspicious child spawned by OLE host",
    if(matches(toLowerCase(command_line), ".*(invoke-expression|downloadstring|-enc).*"), "Encoded/download command from OLE host",
    if(matches(toLowerCase(target_file), ".*(temp|roaming|programdata).*"), "Suspicious file write by OLE host",
    "OLE anomaly")))
| count by _messageTime, Computer, User, parent_process, child_process, command_line, target_file, detection_category
| sort by _messageTime desc

Sumo Logic query for CVE-2025-21298: parses Sysmon and Windows Security events to detect OLE host processes (Office applications, WordPad) spawning suspicious child processes, executing encoded commands, or creating files in sensitive paths.

critical severity medium confidence

Data Sources

Sumo Logic Sysmon Windows Security Event Log

Required Tables

windows/sysmon windows/security

False Positives

Legitimate Office macros spawning cmd.exe for business workflows
Add-ins or plug-ins that write temp files as part of normal function
IT management scripts that invoke shell commands via Office OLE
Security tools conducting authorized simulations using RTF payloads
Document processing automation writing output to AppData or ProgramData

Google Chronicle / SecOps

yaral

rule cve_2025_21298_ole_rce {
  meta:
    author = "df00tech"
    description = "Detects CVE-2025-21298 Windows OLE RCE via malicious RTF document"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298"
    mitre_attack_tactic = "Initial Access, Execution"
    mitre_attack_technique = "T1566.001, T1204.002"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|wordpad)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$/

  match:
    $proc.principal.hostname over 5m

  condition:
    $proc
}

Chronicle YARA-L rule for CVE-2025-21298: detects PROCESS_LAUNCH events where an Office/OLE host spawns a suspicious child process, indicative of RTF-triggered OLE use-after-free exploitation leading to RCE.

critical severity high confidence

Data Sources

Google Chronicle Endpoint Detection Events

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate Office macros that spawn shell commands for business automation
IT management tooling using OLE embedding for software deployment
Third-party Office add-ins that invoke command-line tools as part of normal operation
Security testing or red team exercises using RTF-based payloads in authorized environments
Document workflow automation that uses cmd.exe for output processing

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE", "WORDPAD.EXE")
| ImageFileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
  OR (CommandLine = /(?i)(invoke-expression|iex|downloadstring|webclient|-encodedcommand|-enc|bypass|http:\/\/|https:\/\/)/ )
| rename ParentBaseFileName as ole_host, ImageFileName as spawned_process
| eval detection_reason = case(
    spawned_process = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32)\.exe/, "OLE host spawned suspicious shell",
    CommandLine = /(?i)(invoke-expression|downloadstring|-enc|-encodedcommand)/, "OLE host executed encoded/download command",
    true(), "OLE anomaly from Office process"
  )
| table timestamp, ComputerName, UserName, ole_host, spawned_process, CommandLine, detection_reason
| sort timestamp desc

CrowdStrike CQL query for CVE-2025-21298: hunts ProcessRollup2 events where known OLE/Office host processes spawn suspicious child processes or execute encoded/download commands, indicating exploitation of the Windows OLE use-after-free RCE vulnerability.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR Telemetry

Required Tables

ProcessRollup2

False Positives

Authorized macro-driven business workflows spawning cmd.exe or PowerShell
IT automation tooling that uses Office OLE embedding for deployment
Third-party add-ins invoking shell utilities as part of licensed functionality
Approved red team or penetration testing activities using RTF payloads
Software update mechanisms within Office applications invoking command-line tools

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2025-21298 CVE-2025-21298: Windows OLE RCE via Malicious RTF Document?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2025-21298

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox