The hypothesis is that an adversary may be exploiting the CVE-2018-4878 vulnerability to gain unauthorized access to systems by leveraging a buffer overflow in the Windows Print Spooler service. A SOC team should proactively hunt for this behavior in their Azure Sentinel environment to identify and mitigate potential compromise from legacy vulnerabilities that could be leveraged in multi-stage attacks.
YARA Rule
rule crime_ole_loadswf_cve_2018_4878
{
meta:
description = "Detects CVE-2018-4878"
vuln_type = "Remote Code Execution"
vuln_impact = "Use-after-free"
affected_versions = "Adobe Flash 28.0.0.137 and earlier versions"
mitigation0 = "Implement Protected View for Office documents"
mitigation1 = "Disable Adobe Flash"
weaponization = "Embedded in Microsoft Office first payloads"
actor = "Purported North Korean actors"
reference = "hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998"
report = "https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/"
author = "Vitali Kremez, Flashpoint"
version = "1.1"
strings:
// EMBEDDED FLASH OBJECT BIN HEADER
$header = "rdf:RDF" wide ascii
// OBJECT APPLICATION TYPE TITLE
$title = "Adobe Flex" wide ascii
// PDB PATH
$pdb = "F:\\work\\flash\\obfuscation\\loadswf\\src" wide ascii
// LOADER STRINGS
$s0 = "URLRequest" wide ascii
$s1 = "URLLoader" wide ascii
$s2 = "loadswf" wide ascii
$s3 = "myUrlReqest" wide ascii
condition:
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process temporarily opens a network connection to a remote server.
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackup using the process.name field.
Scenario: A Windows Task Scheduler job is running a script that connects to an internal API endpoint to fetch configuration data.
Filter/Exclusion: Exclude processes with taskhost.exe or schtasks.exe in the process.name field.
Scenario: A Docker container is being used to run a CI/CD pipeline (e.g., Jenkins or GitLab CI) and the container makes a connection to a private registry.
Filter/Exclusion: Exclude processes with docker or containerd in the process.name field, or filter by process.parent.name if the parent is known.
Scenario: A Windows Update or Group Policy client is synchronizing settings and establishing a connection to a domain controller.
Filter/Exclusion: Exclude processes with wuauclt.exe, gpsvc.exe, or gpolusr.exe in the process.name field.
Scenario: A log management tool like Splunk or ELK Stack is sending data to a centralized logging server, which involves network communication.
Filter/Exclusion: Exclude processes with splunkd or logstash in the process.name field, or filter by the destination IP if known.