Detects SOAP WDSL Download via JavaScript

Hunt Hypothesis

Adversaries may use JavaScript to download SOAP WSDL files to enumerate web services and exploit potential vulnerabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities and prevent further exploitation.

YARA Rule

rule CVE_2017_8759_SOAP_via_JS {
   meta:
      description = "Detects SOAP WDSL Download via JavaScript"
      author = "Florian Roth"
      reference = "https://twitter.com/buffaloverflow/status/907728364278087680"
      date = "2017-09-14"
      score = 60
   strings:
      $s1 = "GetObject(\"soap:wsdl=https://" ascii wide nocase
      $s2 = "GetObject(\"soap:wsdl=http://" ascii wide nocase
   condition:
      ( filesize < 3KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://twitter.com/buffaloverflow/status/907728364278087680
• Source Rule

False Positive Guidance

• Scenario: System Administrator Downloads WSDL for Service Integration
  Description: A system admin is manually downloading a WSDL file to configure a SOAP service integration.
  Filter/Exclusion: process.name != "wsdl.exe" || process.name != "curl" || process.name != "wget"
  Note: Use process name exclusions to avoid flagging legitimate admin tools used for service configuration.

• Scenario: Scheduled Job Fetches WSDL for API Testing
  Description: A scheduled job runs via a CI/CD pipeline to fetch a WSDL file for automated API testing.
  Filter/Exclusion: process.name != "jenkins.exe" || process.name != "task scheduler" || process.name != "powershell.exe"
  Note: Exclude known CI/CD tools or scheduled task runners that are used for automated testing.

• Scenario: Developer Uses SoapUI to Test SOAP Endpoints
  Description: A developer is using SoapUI to test a SOAP service and downloads the WSDL file for local testing.
  Filter/Exclusion: process.name != "soapui.exe"
  Note: Exclude SoapUI or similar tools commonly used for SOAP testing and development.

• Scenario: Web Application Loads WSDL Dynamically for Client-Side Use
  Description: A legitimate web application dynamically loads a WSDL file via JavaScript to generate client-side stubs.
  Filter/Exclusion: process.name != "chrome.exe" || process.name != "firefox.exe" || request.url contains "internal-internal"
  Note: Exclude internal URLs or browser processes that are part of a known internal application.

• Scenario: Log Management Tool Imports WSDL for Service Monitoring
  Description: A log management tool (e.g., Splunk, ELK) imports a WSDL file to monitor or analyze SOAP service logs.