## https://sploitus.com/exploit?id=1E02B057-FCE8-5F88-8BC9-0289C8F014BE
## CVE-2021-42292
This package will detect exploits of [CVE-2021-42292](https://vulners.com/cve/CVE-2021-42292), a Microsoft Excel local
privilege escalation vulnerability, and generate a notice in notice.log for it.
https://corelight.com/blog/detecting-cve-2021-42292
#### Detection Method:
This package detects the vulnerability when the triggering Excel spreadsheet downloads a second spreadsheet.
The second spreadsheet is executed with elevated privileges. We can detect Microsoft Excel downloading
a Microsoft Excel file with this script. In our testing on some live networks we monitor,
this combination was extremely rare and we have not seen any false positives so far.
#### Usage:
```
$ zeek -Cr excelsploit_1.pcap packages
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-11-10-10-56-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1636433584.277654 CeV1DA2EM1pRTfgWkc 127.0.0.1 51543 127.0.0.1 80 - - - tcp CVE_2021_42292::CVE_2021_42292 127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information host='127.0.0.1', method='HEAD', user_agent='Microsoft Office Excel 2014', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls' 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1636433584.311236 CgKWSM1bhhl7K8B6n8 127.0.0.1 51545 127.0.0.1 80 - - - tcp CVE_2021_42292::CVE_2021_42292 127.0.0.1 may be compromised by CVE-2021-42292, MS Office Excel download using Office from 127.0.0.1 detected. See sub field for additional triage information host='127.0.0.1', method='GET', user_agent='Mozilla/4.0 (compatible; ms-office; MSOffice 16)', CONTENT-TYPE='application/vnd.ms-excel', uri='/replica.xls' 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2021-11-10-10-56-50
```
Suricata rules are also provided that mirror the detection methodology of the
Zeek package.
#### Links:
* Associated blog including walk through of code elements:
* https://corelight.com/blog/detecting-cve-2021-42292
* MIME Types:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
* Excel User Agents:
* https://developers.whatismybrowser.com/useragents/explore/software_name/excel/