Threat Research

Falcon Complete: Zero-Day Exploit Case Study | CrowdStrike

Securonix

CrowdStrike Falcon Complete observed a still-unknown zero-day vulnerability affecting Windows Error Reporting (WER) that was exploited in the wild and later disclosed as CVE-2023-36874. The write-up details how the vulnerability was discovered, the exploit chain, privilege escalation via WER impersonation, a file-system redirection hijack, and the associated indicators of compromise. #CVE-2023-36874 #WindowsErrorReporting #wermgr #RDP #CrowdStrike #CrowdStrikeFalconComplete

Keypoints

  • The zero-day CVE-2023-36874 was observed exploiting the Windows Error Reporting (WER) component and was independently disclosed by Google Threat Analysis Group before CrowdStrike published.
  • Binaries were dropped on a system via an unmanaged-host RDP connection, with Falcon Complete blocking and quarantining suspected exploits for CVE-2021-24084.
  • The WER service and its COM interfaces enable a chain that leads to executing wermgr.exe, enabling privilege escalation to SYSTEM under impersonation.
  • An exploit kit within the campaign aims to spawn a privileged interpreter (cmd.exe or powershell_ise.exe) or a privileged scheduled task as a fallback.

MITRE Techniques

  • [T1021.001] Remote Services – Binaries dropped via RDP from an unmanaged host. β€˜via Remote Desktop Protocol (RDP) connection from an unmanaged host.’
  • [T1068] Exploitation for Privilege Escalation – Privilege escalation achieved via WER impersonation and process creation. β€˜This allows the attacker-controlled executable to be run with the privileges of the WER service (i.e., SYSTEM).’
  • [T1574] Hijack Execution Flow – Redirection of execution flow by creating a symbolic link to attacker-controlled files. β€˜Creates a redirection from the C: drive to C:Userspublictest by calling the NtCreateSymbolicLink function, where the third and fourth parameters point respectively to ??C: and GLOBAL??C:UsersPublicTest.’
  • [T1059.003] Windows Command Shell – The exploit kit aims to spawn a privileged interpreter, specifically cmd.exe, in the interactive session. β€˜spawn a privileged interpreter, either the traditional command interpreter cmd.exe, or powershell_ise.exe, in the interactive session from which the binary was launched.’
  • [T1059.001] PowerShell – The exploit kit aims to spawn a privileged interpreter, specifically powershell_ise.exe, in the interactive session. β€˜spawn a privileged interpreter, either the traditional command interpreter cmd.exe, or powershell_ise.exe, in the interactive session from which the binary was launched.’

Indicators of Compromise

  • [Filename] observed dropped binaries during the incident investigation – 10new+11_ISE_0x000109D59D6CC3F4.exe, 8_ise.exe
  • [SHA256 Hash] corresponding hashes for observed binaries – e800d1271b15d1db04280a64905104a912094d2938fd6b024ce143f1221d22f5, 338ac127e81316d3b4a625ddf28eff2693778f3c8f1050cc06467845232e8da2

Read more: https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/