This artifact will enable both application and removal of the reccomended mitigation for CVE-2021-40444.
Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.
To disable installing ActiveX controls in Internet Explorer in all zones
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX
(0x1001) and
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX
(0x1004) to DISABLED
(3) for all
internet zones for 64-bit and 32-bit processes. New ActiveX controls will
not be installed. Previously-installed ActiveX controls will continue to run.
NOTE: if both AddMitigation and DeleteMitigation is selected DeleteMitigation will take preference. Reboot may be required.
name: Windows.Registry.CVE_2021_40444
author: Matt Green - @mgreen27
description: |
This artifact will enable both application and removal of the
reccomended mitigation for CVE-2021-40444.
Disabling the installation of all ActiveX controls in Internet
Explorer mitigates this attack. This can be accomplished for all
sites by updating the registry. Previously-installed ActiveX
controls will continue to run, but do not expose this
vulnerability.
To disable installing ActiveX controls in Internet Explorer in all
zones
```
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003
```
This sets the `URLACTION_DOWNLOAD_SIGNED_ACTIVEX` (0x1001) and
`URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX` (0x1004) to `DISABLED` (3) for all
internet zones for 64-bit and 32-bit processes. New ActiveX controls will
not be installed. Previously-installed ActiveX controls will continue to run.
**NOTE**: if both AddMitigation and DeleteMitigation is selected
DeleteMitigation will take preference. Reboot may be required.
reference:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
type: CLIENT
precondition:
SELECT * FROM info() where OS = 'windows'
parameters:
- name: SearchRegistryGlob
default: HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/{0,1,2,3}/*
- name: AddMitigation
type: bool
description: Add registry key mitigations for CVE-2021-40444.
- name: DeleteMitigation
type: bool
description: Remove registry key mitigations for CVE-2021-40444.
sources:
- query: |
-- set registry values
LET setvalues = SELECT
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1001/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1004/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1001/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1004/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1001/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1004/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1001/',
type='DWORD',value=3,create='Y'),
reg_set_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1004/',
type='DWORD',value=3,create='Y')
FROM scope()
LET rmvalues = SELECT
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1001/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0/1004/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1001/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/1/1004/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1001/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/2/1004/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1001/'),
reg_rm_value(path='HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/3/1004/')
FROM scope()
LET values <= SELECT *
FROM if(condition=DeleteMitigation,
then= rmvalues,
else=if(condition=AddMitigation,
then=setvalues))
-- output rows add some description on applied settings.
SELECT
timestamp(string=Mtime) as ModifiedTime,
FullPath as KeyPath,
Data.value as Value,
if(condition= FullPath=~'1001$',
then='URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) - mitigation to DISABLED (3)',
else= if(condition= FullPath=~'1004$',
then='URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) - mitigation to DISABLED (3)',
else= 'UNKNOWN')) as Description
FROM glob(globs=SearchRegistryGlob, accessor='registry')
WHERE Data.type = 'DWORD'