Detect CVE-2025-21298: Windows OLE RCE via Malicious RTF Document in CrowdStrike LogScale
Detects exploitation of CVE-2025-21298, a use-after-free (CWE-416) vulnerability in Windows OLE that allows remote code execution when a user opens a specially crafted RTF document. With a CVSS score of 9.8 and public PoC availability, this is a critical-severity vulnerability affecting Windows 10, 11, and Server 2008-2025. Exploitation typically involves phishing emails with RTF attachments that trigger the OLE subsystem to execute attacker-controlled code in the context of the victim user.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ParentBaseFileName in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE", "WORDPAD.EXE")
| ImageFileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
OR (CommandLine = /(?i)(invoke-expression|iex|downloadstring|webclient|-encodedcommand|-enc|bypass|http:\/\/|https:\/\/)/ )
| rename ParentBaseFileName as ole_host, ImageFileName as spawned_process
| eval detection_reason = case(
spawned_process = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32)\.exe/, "OLE host spawned suspicious shell",
CommandLine = /(?i)(invoke-expression|downloadstring|-enc|-encodedcommand)/, "OLE host executed encoded/download command",
true(), "OLE anomaly from Office process"
)
| table timestamp, ComputerName, UserName, ole_host, spawned_process, CommandLine, detection_reason
| sort timestamp descCrowdStrike CQL query for CVE-2025-21298: hunts ProcessRollup2 events where known OLE/Office host processes spawn suspicious child processes or execute encoded/download commands, indicating exploitation of the Windows OLE use-after-free RCE vulnerability.
Data Sources
Required Tables
False Positives & Tuning
- Authorized macro-driven business workflows spawning cmd.exe or PowerShell
- IT automation tooling that uses Office OLE embedding for deployment
- Third-party add-ins invoking shell utilities as part of licensed functionality
- Approved red team or penetration testing activities using RTF payloads
- Software update mechanisms within Office applications invoking command-line tools
Other platforms for CVE-2025-21298
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RTF OLE Object Spawning CMD via WordPad
Expected signal: Sysmon EID 1: wordpad.exe spawning cmd.exe with parent-child relationship. DeviceProcessEvents in MDE showing InitiatingProcessFileName=wordpad.exe, FileName=cmd.exe.
- Test 2Simulate OLE Host Encoded PowerShell Download
Expected signal: Sysmon EID 1 with CommandLine containing '-EncodedCommand' or '-enc'. DeviceProcessEvents with ProcessCommandLine matching encoded command patterns.
- Test 3RTF File Drop to INetCache Simulating Email Attachment Open
Expected signal: Sysmon EID 11 (File Create): RTF file written to INetCache path with Outlook or Explorer as initiating process. DeviceFileEvents showing FileName ending in .rtf in INetCache path.
- Test 4OLE Host Unexpected Outbound Network Connection
Expected signal: Sysmon EID 3: Network connection event from powershell.exe (simulating Office host) to external IP on port 80. DeviceNetworkEvents showing InitiatingProcessFileName and DestinationIP for external address.
Unlock Pro Content
Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.