Detects malicious files related to CVE-2017-8759

Hunt Hypothesis

Adversaries may leverage malicious files associated with CVE-2017-8759 to exploit outdated software and gain unauthorized access to systems. Proactively hunting for these files in Azure Sentinel helps identify potential compromise early, especially in environments still using vulnerable software.

YARA Rule

rule CVE_2017_8759_SOAP_Excel {
   meta:
      description = "Detects malicious files related to CVE-2017-8759"
      author = "Florian Roth"
      reference = "https://twitter.com/buffaloverflow/status/908455053345869825"
      date = "2017-09-15"
   strings:
      $s1 = "|'soap:wsdl=" ascii wide nocase
   condition:
      ( filesize < 300KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://twitter.com/buffaloverflow/status/908455053345869825
• Source Rule

False Positive Guidance

• Scenario: System update or patching process using Windows Update or Microsoft Endpoint Manager
  Filter/Exclusion: Check for ProcessName containing “wuauclt.exe” or “MpCmdRun.exe” (Microsoft Update or Windows Defender components)
  Suggested Filter: ProcessName in ("wuauclt.exe", "MpCmdRun.exe")

• Scenario: Scheduled job for log file rotation or cleanup using a legitimate script or tool like logrotate or PowerShell
  Filter/Exclusion: Check for ProcessName containing “logrotate” or “powershell.exe” with a known legitimate script path
  Suggested Filter: ProcessName in ("logrotate", "powershell.exe") and CommandLine contains "/path/to/legitimate/script.ps1"

• Scenario: Admin task to analyze or debug a file using tools like Process Monitor or Procmon.exe
  Filter/Exclusion: Check for ProcessName containing “procmon.exe” or “ProcessMonitor.exe”
  Suggested Filter: ProcessName in ("procmon.exe", "ProcessMonitor.exe")

• Scenario: Security software or endpoint protection tool performing a scan or integrity check (e.g., Malwarebytes, Bitdefender, or Windows Defender)
  Filter/Exclusion: Check for ProcessName containing “mbam.exe”, “bdtray.exe”, or “MsMpEng.exe”
  Suggested Filter: ProcessName in ("mbam.exe", "bdtray.exe", "MsMpEng.exe")

• Scenario: Legitimate file access or modification by a system service or user with elevated privileges (e.g., svchost.exe or explorer.exe)
  Filter/Exclusion: Check for ProcessName containing “svchost.exe” or “expl