Detects malicious files related to CVE-2017-8759 - file Doc1.doc

Hunt Hypothesis

Adversaries may use malicious Word documents exploiting CVE-2017-8759 to execute arbitrary code and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of outdated Office vulnerabilities.

YARA Rule

rule CVE_2017_8759_Mal_Doc {
   meta:
      description = "Detects malicious files related to CVE-2017-8759 - file Doc1.doc"
      author = "Florian Roth"
      reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
      date = "2017-09-14"
      hash1 = "6314c5696af4c4b24c3a92b0e92a064aaf04fd56673e830f4d339b8805cc9635"
   strings:
      $s1 = "soap:wsdl=http://" ascii wide nocase
      $s2 = "soap:wsdl=https://" ascii wide nocase

      $c1 = "Project.ThisDocument.AutoOpen" fullword wide
   condition:
      ( uint16(0) == 0xcfd0 and filesize < 500KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate .doc file as part of a software update process.
  Filter/Exclusion: Exclude files with the source path containing C:\Windows\System32\ or C:\Program Files\ and where the process is powershell.exe with a command line containing deploy or update.

• Scenario: A scheduled job runs Task Scheduler to generate a .doc file for reporting purposes, which is then opened by a reporting tool like Microsoft Excel.
  Filter/Exclusion: Exclude files created by schtasks.exe or with a creation time matching the scheduled job’s execution time, and filter out files opened by excel.exe.

• Scenario: An IT support tool like Microsoft Endpoint Manager or Intune generates a .doc file for user training or documentation.
  Filter/Exclusion: Exclude files with a parent process of msiexec.exe, setup.exe, or intunewin.exe, and filter out files with a known training or documentation directory path.

• Scenario: A backup process using Veeam Backup & Replication or Commvault creates temporary .doc files during the backup of user documents.
  Filter/Exclusion: Exclude files with a parent process of veeam.exe, cvbackup.exe, or backup.exe, and filter out files located in backup directories such as C:\Backup\ or D:\Data\.

• Scenario: A Windows Update or Windows Defender scan temporarily creates a .doc file for testing or logging purposes.
  Filter/Exclusion: Exclude files with a parent process of wuauclt.exe, MsMpEng.exe, or taskhost.exe, and filter out files with