Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/b\/detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one.html\"><br \/>\n<meta property=\"og:title\" content=\"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/cover-detecting-pwnkit-cve20214034-trend-micro-vision-one-cloud-one.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/cover-detecting-pwnkit-cve20214034-trend-micro-vision-one-cloud-one.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.95606991025\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"915624631\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.2470414201183\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.961538461538\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits & Vulnerabilities<\/p>\n<p class=\"article-details__description\">This blog discusses how CVE-2021-4034 can be detected and blocked using Trend Micro\u2122 Vision One\u2122 and Trend Micro Cloud One\u2122.<\/p>\n<p class=\"article-details__author-by\">By: Sunil Bharti, Nitesh Surana <time class=\"article-details__date\">February 11, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"50.708754208754\">\n<div readability=\"47.783249158249\">\n<p>PolKit, or PolicyKit, is a component that handles system-wide policies and authorizations in Unix and Unix-like operating systems (OS), allowing non-privileged processes to communicate with privileged ones. PolKit\u2019s <i>pkexec<\/i> comes bundled in major Linux distributions, a tool generally used to execute commands with elevated privileges (root capabilities). The component also enables an authorized user to execute programs as another user (generally \u2018root\u2019). The function is synonymous to \u2018runas\u2019 in Windows.<\/p>\n<p>Security researchers <a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2022\/01\/25\/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034\">disclosed<\/a> PwnKit as a memory corruption vulnerability in polkit\u2019s pkexec, assigned with the ID <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-4034\">CVE-2021-4034<\/a> (rated High at 7.8). The gap allows a low-privileged user to escalate privileges to the root of the host. Various proofs of concept have been disclosed, written in different languages (such as <a href=\"https:\/\/haxx.in\/files\/blasty-vs-pkexec.c\">several<\/a> <a href=\"https:\/\/github.com\/clubby789\/CVE-2021-4034\/blob\/master\/poc.c\">in<\/a> <a href=\"https:\/\/github.com\/c3l3si4n\/pwnkit\/blob\/main\/pwnkit.c\">C<\/a>, <a href=\"https:\/\/github.com\/dadvlingd\/-CVE-2021-4034\/blob\/main\/CVE-2021-4034-py3.py\">Python<\/a>, <a href=\"https:\/\/github.com\/Y3A\/CVE-2021-4034\/\">Bash<\/a>, and <a href=\"https:\/\/github.com\/dzonerzy\/poc-cve-2021-4034\">Go<\/a>), and the vulnerability has been there for over 12 years, affecting all versions of the pkexec since its first distribution in 2009. <\/p>\n<p>These make the security gap \u201can attacker\u2019s <a href=\"https:\/\/www.qualys.com\/2022\/01\/25\/cve-2021-4034\/pwnkit.txt\">dream come true<\/a>\u201d and a vulnerability that needs to be fixed as soon as possible: Any unprivileged local user can abuse this to get full root privileges and exploit the gap even if the polkit daemon itself is not running. Attackers can reintroduce environment variables in the context of the ‘pkexec’ binary, leading to a controlled execution of an attacker-controlled shared library and gaining code execution with ‘root’ privileges. Security teams are advised to patch this as soon as possible, or to apply temporary mitigation steps while updating their respective systems. This blog discusses how Trend Micro\u2122 Vision One\u2122 and Trend Micro\u2122 Cloud One\u2122 can be used to detect the abuse of the said vulnerability.<\/p>\n<p><span class=\"body-subhead-title\">Trend Micro Cloud One\u2122 – Workload Security<\/span><\/p>\n<p>Using the platform of Trend Micro Cloud One – Workload Security, the following modules can be used to detect the abuse of CVE-2021-4034:<\/p>\n<p><b>1. Activity Monitoring: <\/b>This module can detect process, file, and network activities on endpoints running Cloud One Workload Security. In this case, we will look into the process and file activities since there is no network component to this attack scenario.<\/p>\n<p><b>2. Anti-malware:<\/b> This module provides protection against the exploitation of this vulnerability in real time using behavior monitoring.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure1-pwnkit-detecting-vision-one-cloud-one.png\" alt=\"figure1-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 1. Anti-malware feature can detect the abuse of an exploit<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>3. <b>Log Inspection: <\/b>This module can tap in the authentication-related events on the host. When the proof of concept is executed, there are observations on <i>\/var\/log\/auth.log<\/i> from where we can deduce suspicious activity with respect to pkexec. The <b>1002831 – Unix \u2013 Syslog Log Inspection<\/b> rule can potentially detect the exploitation of CVE-2021-4034.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure2-pwnkit-detecting-vision-one-cloud-one.jpg\" alt=\"figure2-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 2. In the \u2018Event\u2019 section, the Log Inspection rule can track activities of clearing safe variables (left) and suspicious environment variable with suspicious content in the root (right)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p><span class=\"body-subhead-title\">Trend Micro Vision One<\/span><\/p>\n<p>Trend Micro Cloud One – Workload Security\u2019s correlation of telemetry and detections provide initial security context, allowing security teams and analysts to track and monitor the threats that may abuse CVE-2021-4034. In the next section, Trend Micro Vision One provides more details into the paths and events in real time.<\/p>\n<p><b>Observed attack techniques (OATs)<\/b><\/p>\n<p>Observed attack techniques (OATs) are generated from individual events that provide security value. To look into the possible attempts of exploitation using this vulnerability, we can look for these OAT IDs from many other helper OAT triggers that indicate suspicious activities on the <i>buntu<\/i> host.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure3-pwnkit-detecting-vision-one-cloud-one.png\" alt=\"figure3-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 3. OATs from Trend Micro Vision One\u2019s threat hunting app<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>The following OAT IDs can be used while threat hunting:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">F2533 – Identified File Permission Change For CVE-2021-4034 Vulnerability Exploitation<\/span><\/li>\n<li><span class=\"rte-red-bullet\">F4875 – Identified Creation Of GCONV_PATH Directory For CVE-2021-4034 Vulnerability Exploitation<\/span><\/li>\n<li><span class=\"rte-red-bullet\">F4880 – Identified PkExec Run with Root Privileges<\/span><\/li>\n<li><span class=\"rte-red-bullet\">F4873 – Potential Exploitation of Polkit Vulnerability CVE-2021-4034<\/span><\/li>\n<li><span class=\"rte-red-bullet\">F4881 – Potential PwnKit CVE-2021-4034 Exploitation Traces Logged<\/span><\/li>\n<\/ul>\n<p><b>Root cause analysis (RCA)<\/b><\/p>\n<p>Execution Profile is a feature in Vision One that generates graphs for security teams. We can expand this for fields like \u2018processCmd\u2019 or \u2018objectCmd\u2019 from the search or threat hunting apps for activities observed within a given time frame such as process creation, file creation, and inbound and outbound network activity, among other parameters. Threat hunters and security analysts can expand the initial hypothesis to figure out the execution details and sequence using RCAs shown in this section. For this vulnerability, we have observed the following operations:<\/p>\n<p>a. Creation of a directory with the name \u2018GCONV_PATH=.\u2019<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure4-pwnkit-detecting-vision-one-cloud-one.png\" alt=\"figure4-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 4. Directory creation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>b. Change of permissions for a random file in \u2018GCONV_PATH=.\u2019 Directory<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure5-pwnkit-detecting-vision-one-cloud-one.png\" alt=\"figure5-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 5. Changing permissions for files<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>c. Execution of \u2018pkexec\u2019 as the \u2018root\u2019 user from a non-root parent<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure6-pwnkit-detecting-vision-one-cloud-one.png\" alt=\"figure6-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 6. Unauthorized execution with user\u2019s newly escalated privileges<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>d. Launch of a shell from \u2018pkexec\u2019 as the parent process<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure7-pwnkit-detecting-vision-one-cloud-one.png\" alt=\"figure7-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 7. Launch of shell variable<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Trend Micro Vision One Workbench App<\/span><\/p>\n<p>The Trend Micro Vision One Workbench app helps analysts see the significant correlated events intelligently based on occurrences throughout the entire fleet of workloads. The left side of the diagram shows the summarized sequence of events happening one after the other. Analysts can view the different fields of interest that are considered important and provide security value on the right. The app allows security teams to see the compromised assets and isolate those that can be potentially affected while patching procedures are in progress.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/figure8-pwnkit-detecting-vision-one-cloud-one.jpg\" alt=\"figure8-detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one\"><figcaption>Figure 8. Mapping compromised assets and potentially affected areas<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49\">\n<div readability=\"43\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Based on our tests, companies\u2019 security teams can execute a manual workaround by checking for the following strings in the <i>\/var\/log\/auth.log file<\/i>:<\/p>\n<ol>\n<li>“The value for the SHELL variable was not found the \/etc\/shells file”<\/li>\n<li>“The value for environment variable * contains suspicious content,\u201d wherein * can be anything like <i>SHELL<\/i> or <i>XAUTHORITY<\/i> (in our case, it was XAUTHORITY).<\/li>\n<\/ol>\n<p>Also, as administrators and security teams work to patch all affected systems, path administrators can temporarily mitigate the vulnerability by removing the setuid permission from the pkexec binary.<\/p>\n<p>The likelihood that attackers will abuse and exploit this vulnerability is high. Given the number of proofs that came about from when it was disclosed, it will only be a matter of time before attackers include an exploit for this gap in their campaigns and attack arsenal. All major Linux distributors, such as RedHat, Debian, Ubuntu, CentOS, and Suse, are considered vulnerable; hopefully, fixes for these distributions can be released soon.<\/p>\n<p>This vulnerability can be used in any environment in which attackers have already established a foothold, from cryptomining and malware infections, to cyberespionage. As stated by the security researchers themselves, it is considered easy, provides root privileges to the attacker, can be used for lateral movement, and is exploitable even if the polkit daemon itself is not running. One silver lining to this vulnerability is that, at its simplest execution, the use of the techniques leaves activity traces in the logs. However, as the security researchers mentioned in their security advisory, there are still ways to exploit this vulnerability without leaving any traces in the auth.log. Security teams are advised to apply the necessary patches as soon as possible, and to enable all applicable solutions for detecting and blocking abuse.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><b>MITRE ATT&CK<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"2.6187845303867\">\n<tr>\n<td><b>Technique<\/b><\/td>\n<td><b>ID<\/b><\/td>\n<\/tr>\n<tr readability=\"1.7674418604651\">\n<td>Exploitation for Privilege Escalation<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1068\/\">T1068<\/a><\/td>\n<\/tr>\n<tr readability=\"1.6785714285714\">\n<td>Path Interception by PATH Environment Variable<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/007\/\">T1574.007<\/a><\/td>\n<\/tr>\n<tr readability=\"1.7313432835821\">\n<td>Linux and Mac File and Directory Permissions Modification<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1222\/002\/\">T1222.002<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/b\/detecting-pwnkit-cve20214034-using-trend-micro-vision-one-cloud-one.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog discusses how CVE-2021-4034 can be detected and blocked using Trend Micro\u2122 Vision One\u2122 and Trend Micro Cloud One\u2122. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":45246,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9508,9555,9509],"class_list":["post-45245","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-research"],"yoast_head":"\n<title>Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-11T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/cover-detecting-pwnkit-cve20214034-trend-micro-vision-one-cloud-one.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122\",\"datePublished\":\"2022-02-11T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/\"},\"wordCount\":1299,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/\",\"name\":\"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png\",\"datePublished\":\"2022-02-11T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png\",\"width\":281,\"height\":369},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/","og_locale":"en_US","og_type":"article","og_title":"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-02-11T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/cover-detecting-pwnkit-cve20214034-trend-micro-vision-one-cloud-one.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122","datePublished":"2022-02-11T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/"},"wordCount":1299,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/","url":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/","name":"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png","datePublished":"2022-02-11T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one.png","width":281,"height":369},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=45245"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45245\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/45246"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=45245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=45245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=45245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":45245,"date":"2022-02-11T00:00:00","date_gmt":"2022-02-11T00:00:00","guid":{"rendered":"urn:uuid:93e54bfe-efaf-37ef-e1e2-50cfecf2c9bf"},"modified":"2022-02-11T00:00:00","modified_gmt":"2022-02-11T00:00:00","slug":"detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/detecting-pwnkit-cve-2021-4034-using-trend-micro-vision-one-and-cloud-one\/","title":{"rendered":"Detecting PwnKit (CVE-2021-4034) Using Trend Micro\u2122 Vision One\u2122 and Cloud One\u2122"},"content":{"rendered":"