The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Signatures Detecting Follina / CVE-2022-30190 Attacks

Check for matches with the following rules:

YARA

Rules shared in the public signature-base and used in THOR and THOR Lite

• SUSP_Doc_RTF_OLE2Link_Jun22
• SUSP_Doc_RTF_OLE2Link_EMAIL_Jun22
• SUSP_DOC_RTF_ExternalResource_EMAIL_Jun22
• SUSP_Msdt_Artefact_Jun22_2
• SUSP_LNK_Follina_Jun22
• SUSP_PS1_Msdt_Execution_May22
• SUSP_Doc_WordXMLRels_May22
• SUSP_Doc_RTF_ExternalResource_May22
• EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 (previously: MAL_Msdt_MSProtocolURI_May22)

Only available in THOR

• SUSP_PS1_Obfusc_Combo_Base64_CharacterConcatenation_May22
• SUSP_PS1_Nested_InvokeExpression_May22
• SUSP_Office_Cloaked_MHT_Moniker_Jun22 (uses external vars; not in Valhalla)
• EXPL_MAL_MalDoc_TemplateInjection_Jun22
• SUSP_Encoded_Follina_CVE_2022_30190_Payloads_Jun22
• SUSP_EXPL_Follina_CVE_2022_30190_Jun22_1
• SUSP_EXPL_Follina_CVE_2022_30190_Jun22_2
• EXPL_Encoded_CVE_2022_30190_Payloads_Jun22_1

Sigma

Public Sigma rules used in Aurora, THOR and Aurora Lite

• Sdiagnhost Calling Suspicious Child Process – f3d39c45-de1a-4486-a687-ab126124f744
• New Lolbin Process by Office Applications – 23daeb52-e6eb-493c-8607-c4f0246cb7d8
• MSDT Executed with Suspicious Parent – 7a74da6b-ea76-47db-92cc-874ad90df734
• Execute Arbitrary Commands Using MSDT.EXE – 258fc8ce-8352-443a-9120-8a11e4857fa5
• Microsoft Outlook Product Spawning Windows Shell – 208748f7-881d-47ac-a29c-07ea84bf691d

Private Sigma rules only available in Aurora

• Sdiagnhost Loading System.Management.Automation.dll – 1a4a0e9c-e47d-492c-800f-545f83fac88a
• Sdiagnhost Calling Suspicious Descendant Process – 8655fa4b-e956-4ed4-b20d-151dfd8c802d