A Fullstack Academy Cybersecurity project examining the full cycle of the Follina (CVE-2022-30190) vulnerability, from exploit to detection and defense.# Five Nights at Follina's
A Fullstack Academy Cybersecurity project examining the full cycle of the Follina (CVE-2022-30190) vulnerability, from exploit to detection and defense.
Team:
- [Brian Aldrich](https://github.com/SB-Aldrich)
- [YoungWa Kim](https://github.com/T4369)
- [Jay O'Neill](https://github.com/rhomv)
- [(Binyang) Jeffrey Xu](https://github.com/jeffymcjeffface)
This set of tools assumes that you have a web host or can spin up a simple webserver using Python to host the generated or example payload files.
# Disclaimer
The files in the Example Payloads folder contain actual malicious code. These were used with VMs on a local network and should not pose a problem on a secure network where you trust all machines, but please take care when using or modifying these files. Additionally, the document and payload generators obviously create malicious files of their own. Please use these tools only on VMs or other disposable environments! Don't use any tools here you don't understand.
# Offensive Tools
To create the Microsoft Word document with the Follina exploit, run docgen_v3.py, using the following options
- --extention/-e : change the document output from .doc (default) to rtf for a zero click attack. -e rtf
- --ip_address/-ip : change the IP address the document will try to reach out to (detault is 10.0.2.15).
- --port/-p : changes the port it will try to reach out to (default is 8000)
To create a payload html file, use generate_payload.py with either the `poc` subcommand to generate a proof of concept payload that opens the Windows Calculator or the `custom` subcommand to generate a payload with your own script.
Examples:
- `python generate_payload.py poc -o test.html` will generate the calculator payload in test.html
- `python generate_payload.py custom -o test.html -p "search-ms:query=procmon.exe&crumb=location:%5C%5Clive.sysinternals.com%5Ctools&displayname=IMPORTANT%20UPDATE"` will generate test.html as a custom payload with the SearchNightmare exploit
Example payloads can be found in the "Example Payloads" folder.
# Defensive Tools
Follina detection requires Sysmon to be installed to log events. Our detection methods here rely on finding instances where Microsoft Word calls MSDT.exe, but the scripts can be modified to search for other artifacts such as the arguments used by Follina in its Powershell command. The following tools are available:
- The Python scripts in the Sysmon Search folder allow a user to search their Sysmon logs for possible indicators of compromise by Follina and then manually examine those logs for confirmation.
- The msdt_exp-del-v3.ps1 Powershell script performs a similar search and, if it detects signs of Follina, makes a backup of the MSDT registry key and disables MSDT by deleting the key.
# Using Example Payloads
All example docx and rtf files html files are pointed at payloads hosted at IP address 10.0.2.15. Additionally, if you want to use the reverse shell exploit, set up a listener on port 9999.
- Click Me!.docx will Rick Roll the user
- No Click Exploit.rtf will open a reverse shell
- I'm Too Sneaky For Defender.docx will function even if Windows Defender's Real-Time Protection is enabled and will execute a SearchNightmare attack, opening up a search for Procmon
[4.0K] /data/pocs/9cb3dde7ee666dff3e40a484a30bb612e884fed6
├── [2.8K] docgen_v3.py
├── [ 253] Events.ps1
├── [4.0K] example payloads
│ ├── [ 16K] Click Me!.docx
│ ├── [ 16K] I'm Too Sneaky For Defender.docx
│ ├── [127K] No Click Exploit.rtf
│ ├── [8.9K] payload2.html
│ ├── [8.6K] payload3.html
│ ├── [9.1K] payload.html
│ └── [ 354] rickroll.html
├── [2.4K] generate_payload.py
├── [1.2K] msdt_exp-del-v3.ps1
├── [3.2K] README.md
├── [4.0K] samples
│ ├── [191K] OLEQ.bmp
│ ├── [2.0K] rel
│ ├── [ 113] rtf
│ └── [3.9K] xml
└── [4.0K] Sysmon_Search
├── [1.8K] sysmonParse_Call.py
└── [ 640] sysmon_Parse.py
3 directories, 18 files