Adversaries may exploit the Dell driver vulnerability (CVE-2021-21551) to gain elevated privileges through local elevation of privilege techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of unpatched systems before lateral movement or persistence occurs.
KQL Query
DeviceFileEvents
| where SHA256 in ("0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5","ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1","552c297d6d7992f8b95287ac6e16f2169b6e629cb6ae0ee42036f093c36142d4","4c727e430fb72f6942768cd1662b4aefda32f10bde43c7232da6713bb5c98bc0","87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3")
| where FolderPath has_any (@"C:\Windows\Temp\",@"C:\Temp\")
id: 4eadcfeb-2ed8-40ce-941a-6691d7ddbdca
name: dell-driver-vulnerability-2021
description: |
This query was originally published in the threat analytics report, Multiple EOP flaws in Dell driver (CVE-2021-21551).
CVE-2021-21551 is a vulnerability found in dbutil_2_3.sys, a driver distributed with Dell firmware updates and tools. Attackers can exploit this vulnerability to escalate privileges on a compromised device. The following query can detect if the affected driver has been added to a device's \temp folders.
Reference - https://nvd.nist.gov/vuln/detail/CVE-2021-21551
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Privilege escalation
query: |
DeviceFileEvents
| where SHA256 in ("0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5","ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1","552c297d6d7992f8b95287ac6e16f2169b6e629cb6ae0ee42036f093c36142d4","4c727e430fb72f6942768cd1662b4aefda32f10bde43c7232da6713bb5c98bc0","87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3")
| where FolderPath has_any (@"C:\Windows\Temp\",@"C:\Temp\")
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Dell Driver Update via Dell Command | Configure
Description: A legitimate system update task using Dell Command | Configure may trigger the rule as it modifies or replaces the dbutil_2_3.sys driver.
Filter/Exclusion: Check for process parent or command line containing DellCommand or Dell Command | Configure.
Scenario: Scheduled System Scan by Windows Defender
Description: Windows Defender may scan and flag the dbutil_2_3.sys driver during a routine security scan, leading to a false positive.
Filter/Exclusion: Filter events where the process is MsMpEng.exe or check for Windows Defender in the process name.
Scenario: Driver Rollback via Device Manager
Description: An administrator may manually rollback a driver using Device Manager, which could trigger the rule due to changes in the driver file.
Filter/Exclusion: Filter for process names like devmgmt.msc or explorer.exe with user context indicating an admin task.
Scenario: Dell SupportAssist Background Scan
Description: Dell SupportAssist may perform background system checks and interact with the dbutil_2_3.sys driver, causing the rule to trigger.
Filter/Exclusion: Check for process names like SupportAssistService.exe or SupportAssist.exe in the event context.
Scenario: Driver Signing Enforcement by Group Policy
Description: A Group Policy update enforcing driver signing may cause the system to replace or modify the dbutil_2_3.sys driver, leading to a false positive.
Filter/Exclusion: Filter for process names like gpupdate.exe or services.exe with user context indicating a policy change.