Windows.Registry.CVE_2021_40444 :: Velociraptor

Windows.Registry.CVE_2021_40444

This artifact will enable both application and removal of the reccomended mitigation for CVE-2021-40444.

Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.

To disable installing ActiveX controls in Internet Explorer in all zones

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

NOTE: if both AddMitigation and DeleteMitigation is selected DeleteMitigation will take preference. Reboot may be required.


name: Windows.Registry.CVE_2021_40444
author: Matt Green - @mgreen27
description: |
    This artifact will enable both application and removal of the
    reccomended mitigation for CVE-2021-40444.

    Disabling the installation of all ActiveX controls in Internet
    Explorer mitigates this attack. This can be accomplished for all
    sites by updating the registry. Previously-installed ActiveX
    controls will continue to run, but do not expose this
    vulnerability.

    To disable installing ActiveX controls in Internet Explorer in all
    zones

    ```
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1001"=dword:00000003
    "1004"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1001"=dword:00000003
    "1004"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    "1001"=dword:00000003
    "1004"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1001"=dword:00000003
    "1004"=dword:00000003
    ```

    This sets the `URLACTION_DOWNLOAD_SIGNED_ACTIVEX` (0x1001) and
    `URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX` (0x1004) to `DISABLED` (3) for all
    internet zones for 64-bit and 32-bit processes. New ActiveX controls will
    not be installed. Previously-installed ActiveX controls will continue to run.

    **NOTE**: if both AddMitigation and DeleteMitigation is selected
    DeleteMitigation will take preference. Reboot may be required.

reference:
  - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

type: CLIENT

precondition:
  SELECT * FROM info() where OS = 'windows'

parameters:
  - name: SearchRegistryGlob
    default: HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/{0,1,2,3}/*
  - name: AddMitigation
    type: bool
    description: Add registry key mitigations for CVE-2021-40444.
  - name: DeleteMitigation
    type: bool
    description: Remove registry key mitigations for CVE-2021-40444.

sources:
  - query: |
        -- set registry values
        LET setvalues = SELECT
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1001/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1004/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1001/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1004/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1001/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1004/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1001/',
                type='DWORD',value=3,create='Y'),
            reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1004/',
                type='DWORD',value=3,create='Y')
        FROM scope()

        LET rmvalues = SELECT
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1001/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1004/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1001/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1004/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1001/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1004/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1001/'),
            reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1004/')
        FROM scope()

        LET values <= SELECT *
            FROM if(condition=DeleteMitigation,
                then= rmvalues,
                else=if(condition=AddMitigation,
                    then=setvalues))

        -- output rows add some description on applied settings.
        SELECT
            timestamp(string=Mtime) as ModifiedTime,
            FullPath as KeyPath,
            Data.value as Value,
            if(condition= FullPath=~'1001$',
                then='URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) - mitigation to DISABLED (3)',
                else= if(condition= FullPath=~'1004$',
                    then='URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) - mitigation to DISABLED (3)',
                    else= 'UNKNOWN')) as Description
        FROM glob(globs=SearchRegistryGlob, accessor='registry')
        WHERE Data.type = 'DWORD'