cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
YaKs
Level 7
Report Inappropriate Content
Message 1 of 3

False positive Windows Shell Remote Code Execution Vulnerability (OUTLOOK)

Hi,
Since I enabled rule ID 6123, I am getting a daily alert that I am not sure how to proceed with it.
First impression was that on the first execution my outlook is creating some temp file as part of the normal initialization. I was tempted to whitelist outlook but I thought that this action would reduce the effectiveness of the rule as Outlook is a very common attack vector , especially during phishing attacks.
 
Secondly, I was a bit confused as I couldn't find much information about that behaviour in Microsoft sites. So I started doubting if that is a false positive or not. I went to the temp folder and nothing is there. I am tempted to start doing some forensics to find those deleted files and analyse them more in depth but first I wanted to ask around here just in case someone already saw that behaviour and can offer an explanation for it.
 
Many thanks
 
 
XXX\YYYY ran C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE, which accessed the file C:\Users\YYYY\AppData\Local\Temp\Deployment\QPNJBOXV.QY5\L1REJGME.Y8M.application, violating the rule "Windows Shell Remote Code Execution Vulnerability". Access was allowed because the rule wasn't configured to block.
 
Analyzer / Detector
Analyzer content version10.6.0.10549
Product nameMcAfee Endpoint Security
Analyzer rule ID6123
Analyzer rule nameWindows Shell Remote Code Execution Vulnerability
Product version10.7.0
Feature nameExploit Prevention
 
Threat
Action takenWould Block
Threat category'File' class or access
Threat event ID18060
Threat handledYes
Threat nameWindows Shell Remote Code Execution Vulnerability
Threat severityCritical
Threat timestamp18/2/2021 9:43 AM
Threat typeExploit Prevention
 
Source
Source access time12/2/2021 2:36 PM
Source create time12/1/2021 9:11 AM
Source description"C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE"
Source file pathC:\Program Files (x86)\Microsoft Office\Office16
Source file size23299392
Source modify time12/1/2021 9:11 AM
Source process file hash8bece107d8c4cf10f3b8cc320edf9f27
Source process nameOUTLOOK.EXE
Source process signedYes
Source process signerC=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION
Source user nameXXXX\YYYY
 
Target
Target access time18/2/2021 9:43 AM
Target create time18/2/2021 9:43 AM
Target file size (bytes)5504
Target hasha993a2d922d91c3fa5e30bc2ddc3fdd2
Target host name----------------------
Target modify time18/2/2021 9:43 AM
Target nameL1REJGME.Y8M.application
Target pathC:\Users\YYYYY\AppData\Local\Temp\Deployment\QPNJBOXV.QY5
Target signedNo
Target user nameSYSTEM
 
2 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: False positive Windows Shell Remote Code Execution Vulnerability (OUTLOOK)

Hi @YaKs ,

This refers to CVE-2018-8414. Please verify if the OS patched as per the available security updates found in the link bellow.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8414

Thanks

 

YaKs
Level 7
Report Inappropriate Content
Message 3 of 3

Re: False positive Windows Shell Remote Code Execution Vulnerability (OUTLOOK)

Morning Pravas,

I am running W10 1809 (build 17763) . that patch does not apply according to the Microsoft page. 

it might be superseeded in the feature update 1809.

I monitored outlook.exe process using procmon (sysinternals) and indeed it creates some temporary files during the startup of the application. Unfortunately I could not obtain those files for a deeper analysis (as they get inmediately deleted ).

any other suggestion?

 

thanks

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community