CrowdStrike Falcon Complete observed a still-unknown zero-day vulnerability affecting Windows Error Reporting (WER) that was exploited in the wild and later disclosed as CVE-2023-36874. The write-up details how the vulnerability was discovered, the exploit chain, privilege escalation via WER impersonation, a file-system redirection hijack, and the associated indicators of compromise. #CVE-2023-36874 #WindowsErrorReporting #wermgr #RDP #CrowdStrike #CrowdStrikeFalconComplete
Keypoints
- The zero-day CVE-2023-36874 was observed exploiting the Windows Error Reporting (WER) component and was independently disclosed by Google Threat Analysis Group before CrowdStrike published.
- Binaries were dropped on a system via an unmanaged-host RDP connection, with Falcon Complete blocking and quarantining suspected exploits for CVE-2021-24084.
- The WER service and its COM interfaces enable a chain that leads to executing wermgr.exe, enabling privilege escalation to SYSTEM under impersonation.
- An exploit kit within the campaign aims to spawn a privileged interpreter (cmd.exe or powershell_ise.exe) or a privileged scheduled task as a fallback.
-
MITRE Techniques
- [T1021.001] Remote Services β Binaries dropped via RDP from an unmanaged host. βvia Remote Desktop Protocol (RDP) connection from an unmanaged host.β
- [T1068] Exploitation for Privilege Escalation β Privilege escalation achieved via WER impersonation and process creation. βThis allows the attacker-controlled executable to be run with the privileges of the WER service (i.e., SYSTEM).β
- [T1574] Hijack Execution Flow β Redirection of execution flow by creating a symbolic link to attacker-controlled files. βCreates a redirection from the C: drive to C:Userspublictest by calling the NtCreateSymbolicLink function, where the third and fourth parameters point respectively to ??C: and GLOBAL??C:UsersPublicTest.β
- [T1059.003] Windows Command Shell β The exploit kit aims to spawn a privileged interpreter, specifically cmd.exe, in the interactive session. βspawn a privileged interpreter, either the traditional command interpreter cmd.exe, or powershell_ise.exe, in the interactive session from which the binary was launched.β
- [T1059.001] PowerShell β The exploit kit aims to spawn a privileged interpreter, specifically powershell_ise.exe, in the interactive session. βspawn a privileged interpreter, either the traditional command interpreter cmd.exe, or powershell_ise.exe, in the interactive session from which the binary was launched.β
Indicators of Compromise
- [Filename] observed dropped binaries during the incident investigation β 10new+11_ISE_0x000109D59D6CC3F4.exe, 8_ise.exe
- [SHA256 Hash] corresponding hashes for observed binaries β e800d1271b15d1db04280a64905104a912094d2938fd6b024ce143f1221d22f5, 338ac127e81316d3b4a625ddf28eff2693778f3c8f1050cc06467845232e8da2
Read more: https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/