Detect CVE-2025-21298: Windows OLE RCE via Malicious RTF Document in IBM QRadar
Detects exploitation of CVE-2025-21298, a use-after-free (CWE-416) vulnerability in Windows OLE that allows remote code execution when a user opens a specially crafted RTF document. With a CVSS score of 9.8 and public PoC availability, this is a critical-severity vulnerability affecting Windows 10, 11, and Server 2008-2025. Exploitation typically involves phishing emails with RTF attachments that trigger the OLE subsystem to execute attacker-controlled code in the context of the victim user.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"username",
"sourceip",
"Process Name" AS process_name,
"Parent Process Name" AS parent_process_name,
"Command" AS command_line,
"File Path" AS file_path
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(LOWER("Parent Process Name") IMATCHES '.*(winword|excel|powerpnt|outlook|wordpad)\.exe$'
AND LOWER("Process Name") IMATCHES '.*(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$')
OR
(LOWER("Parent Process Name") IMATCHES '.*(winword|excel|powerpnt|outlook|wordpad)\.exe$'
AND (LOWER("Command") IMATCHES '.*(invoke-expression|iex|downloadstring|webclient|-encodedcommand|-enc|bypass|http://|https://).*'))
OR
(LOWER("Parent Process Name") IMATCHES '.*(winword|excel|powerpnt|outlook|wordpad)\.exe$'
AND LOWER("File Path") IMATCHES '.*(appdata\\local\\temp|appdata\\roaming|programdata).*')
)
AND QIDNAME(qid) IN ('Process Creation', 'File Created', 'Network Connection')
LAST 7 DAYS
ORDER BY devicetime DESCQRadar AQL query for CVE-2025-21298: identifies Office/OLE parent processes spawning suspicious children, executing encoded commands, or writing to sensitive paths, sourced from Windows Security Event Log and Sysmon.
Data Sources
Required Tables
False Positives & Tuning
- Macro-based business processes invoking shell commands for automation
- Legitimate third-party Office add-ins writing temporary files
- IT-managed software deployment using OLE-embedded scripts
- Authorized penetration testing or red team exercises
- Document conversion services writing to temp paths during normal processing
Other platforms for CVE-2025-21298
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RTF OLE Object Spawning CMD via WordPad
Expected signal: Sysmon EID 1: wordpad.exe spawning cmd.exe with parent-child relationship. DeviceProcessEvents in MDE showing InitiatingProcessFileName=wordpad.exe, FileName=cmd.exe.
- Test 2Simulate OLE Host Encoded PowerShell Download
Expected signal: Sysmon EID 1 with CommandLine containing '-EncodedCommand' or '-enc'. DeviceProcessEvents with ProcessCommandLine matching encoded command patterns.
- Test 3RTF File Drop to INetCache Simulating Email Attachment Open
Expected signal: Sysmon EID 11 (File Create): RTF file written to INetCache path with Outlook or Explorer as initiating process. DeviceFileEvents showing FileName ending in .rtf in INetCache path.
- Test 4OLE Host Unexpected Outbound Network Connection
Expected signal: Sysmon EID 3: Network connection event from powershell.exe (simulating Office host) to external IP on port 80. DeviceNetworkEvents showing InitiatingProcessFileName and DestinationIP for external address.
Unlock Pro Content
Get the full detection package for CVE-2025-21298 including response playbook, investigation guide, and atomic red team tests.