CVE-2015-1701 compiled exploit code

Hunt Hypothesis

The hypothesis is that the detection identifies potential exploitation of the CVE-2015-1701 vulnerability through the presence of compiled exploit code, which could indicate an adversary attempting to execute arbitrary code on affected systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from legacy exploit techniques that may still be in use in the environment.

YARA Rule

rule CVE_2015_1701_Taihou {
	meta:
		description = "CVE-2015-1701 compiled exploit code"
		author = "Florian Roth"
		reference = "http://goo.gl/W4nU0q"
		date = "2015-05-13"
		hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17"
		hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb"
		hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399"
		hash4 = "d9989a46d590ebc792f14aa6fec30560dfe931b1"
		hash5 = "63d1d33e7418daf200dc4660fc9a59492ddd50d9"
		score = 70
	strings:	
		$s3 = "VirtualProtect" fullword
		$s4 = "RegisterClass"
		$s5 = "LoadIcon"
		$s6 = "PsLookupProcessByProcessId" fullword ascii 
		$s7 = "LoadLibraryExA" fullword ascii
		$s8 = "gSharedInfo" fullword

		$w1 = "user32.dll" wide
		$w2 = "ntdll" wide	
	condition:
		uint16(0) == 0x5a4d and filesize < 160KB and all of ($s*) and 1 of ($w*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• http://goo.gl/W4nU0q
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that includes compiled code (e.g., using msbuild or dotnet CLI) as part of a system update or patching process.
  Filter/Exclusion: Exclude processes associated with system maintenance tools like Task Scheduler, msiexec, or Windows Update services.

• Scenario: Admin Using IDA Pro for Binary Analysis
  Description: A security analyst is using IDA Pro to analyze a compiled binary for research or incident response, which may trigger the rule due to the presence of compiled code.
  Filter/Exclusion: Exclude processes with the executable name ida64.exe or any known security analysis tools.

• Scenario: PowerShell Script with Compiled .NET Code
  Description: A PowerShell script uses Add-Type to compile .NET code inline, which may be flagged as a potential exploit.
  Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script is known to be part of standard administrative tasks (e.g., script.ps1 in a known admin directory).

• Scenario: Antivirus or EDR Agent Updating Signatures
  Description: An endpoint protection tool (e.g., CrowdStrike, Microsoft Defender) updates its signature database, which may involve compiling or processing binary files.
  Filter/Exclusion: Exclude processes associated with known antivirus/EDR agents (e.g., mpengine.exe, Csrss.exe, MsMpEng.exe).

• Scenario: Custom Build Pipeline Using MSBuild
  Description: A CI/CD pipeline (e.g., Jenkins, Azure DevOps) runs an MSBuild task to compile a .NET application, which may trigger the rule due to the presence of compiled code.
  Filter/Exclusion: