Detects malicious RTF file related CVE-2017-8759

Hunt Hypothesis

Adversaries may exploit CVE-2017-8759 by embedding malicious code in RTF files to execute arbitrary code on victim systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential zero-day exploitation attempts and mitigate lateral movement risks.

YARA Rule

rule CVE_2017_8759_WSDL_in_RTF {
   meta:
      description = "Detects malicious RTF file related CVE-2017-8759"
      author = "Security Doggo @xdxdxdxdoa"
      reference = "https://twitter.com/xdxdxdxdoa/status/908665278199996416"
      date = "2017-09-15"
   strings:
      $doc = "d0cf11e0a1b11ae1"
      $obj = "\\objupdate"
      $wsdl = "7700730064006c003d00" nocase
      $http1 = "68007400740070003a002f002f00" nocase
      $http2 = "680074007400700073003a002f002f00" nocase
      $http3 = "6600740070003a002f002f00" nocase
   condition:
      RTFFILE and $obj and $doc and $wsdl and 1 of ($http*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://twitter.com/xdxdxdxdoa/status/908665278199996416
• Source Rule

False Positive Guidance

• Scenario: A user receives and opens a legitimate RTF file from a trusted internal email system (e.g., Microsoft Exchange) that contains embedded images or formatting.
  Filter/Exclusion: Exclude files originating from internal email servers or domains (e.g., from.domain.com) using a filter like email.source == "internal" or src_ip in (internal IP range).

• Scenario: A system administrator generates a report in RTF format using a tool like Microsoft Word or LibreOffice as part of a routine administrative task.
  Filter/Exclusion: Exclude files created by known administrative tools (e.g., process.name == "winword.exe" or process.name == "libreoffice") or files generated by scheduled tasks (e.g., task_name == "daily_report").

• Scenario: A scheduled job runs a script that generates an RTF file for documentation purposes using Pandoc or LaTeX.
  Filter/Exclusion: Exclude files generated by known documentation tools (e.g., process.name == "pandoc" or process.name == "latex") or files created by specific scheduled tasks (e.g., task_id == "doc_gen").

• Scenario: A user downloads a legitimate RTF file from a public repository (e.g., GitHub) or internal documentation site as part of a software development process.
  Filter/Exclusion: Exclude files downloaded from known safe sources (e.g., download_url contains "github.com" or download_url contains "internal-docs.com") using a URL filter.

• Scenario: A system update or patching process generates temporary RTF files as part of a deployment script using Ansible or Chef.
  Filter/Exclusion: Exclude files created by configuration management tools (e.g., process.name == "ansible"