What is Follina :

Follina (CVE-2022-30190) is a zero-day vulnerability in Microsoft Office discovered on 27 May 2022. It is a high severity vulnerability that hackers can exploit for remote code execution (RCE) attacks.Remote code execution (RCE) refers to a class of cyberattacks in which attackers remotely execute commands to place malware or other malicious code on the target computer or network.

Locating Follina:

Initially, we set up a testing environment where the vulnerability was intentionally exploited to analyze the functionality of Follina. We studied the generated log files to identify relevant patterns and fields that would assist in detecting the exploitation. Subsequently, we created detection rules in Cyber Radar based on the sysmon log files.

Additionally, it has been observed that it is unusual for Microsoft Office applications to create new processes, and so far, this behavior has been identified in the exploitation of vulnerabilities by Follina.

Follina gains access to systems through MSDT, a tool used by various Microsoft applications. When this activity is detected by Cyber Radar, the corresponding notification will be displayed. The image below shows the detection of a successful exploitation of vulnerabilities by Follina through MSDT.