Next, copy the file follina.doc from the working directory of the CnC server to the target Windows endpoint. Open follina.doc on the endpoint. This action will also launch the calculator application, proving that the vulnerability has been exploited.
The last thing that I want to cover is another thing to look out for when this particular process is running. It is vital to remember that when the HTML document (in this case, follina.doc) is executed in the context of WinWord, msdt.exe gets spawned as a child process, which is because of the protocol handler entry in the registry (all of this can be found in an example html file here from Symantec). Now, by strategically searching our Graylog in the same way we did earlier, we should find something quite substantial; that exact log in our SIEM, which should be ringing some alarm bells, something malicious is definitely happening here: 041b061a72