Adversaries may be leveraging outdated Microsoft Office vulnerabilities to execute arbitrary code through malicious document attachments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of unpatched systems.
YARA Rule
rule Exploit_MS15_077_078: Exploit {
meta:
description = "MS15-078 / MS15-077 exploit - generic signature"
author = "Florian Roth"
reference = "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200"
date = "2015-07-21"
hash1 = "18e3e840a5e5b75747d6b961fca66a670e3faef252aaa416a88488967b47ac1c"
hash2 = "0b5dc030e73074b18b1959d1cf7177ff510dbc2a0ec2b8bb927936f59eb3d14d"
hash3 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
hash4 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"
strings:
$s1 = "GDI32.DLL" fullword ascii
$s2 = "atmfd.dll" fullword wide
$s3 = "AddFontMemResourceEx" fullword ascii
$s4 = "NamedEscape" fullword ascii
$s5 = "CreateBitmap" fullword ascii
$s6 = "DeleteObject" fullword ascii
$op0 = { 83 45 e8 01 eb 07 c7 45 e8 } /* Opcode */
$op1 = { 8d 85 24 42 fb ff 89 04 24 e8 80 22 00 00 c7 45 } /* Opcode */
$op2 = { eb 54 8b 15 6c 00 4c 00 8d 85 24 42 fb ff 89 44 } /* Opcode */
$op3 = { 64 00 88 ff 84 03 70 03 }
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Legitimate scheduled job using mshta.exe
Description: A scheduled task runs a legitimate script using mshta.exe to launch a GUI application or perform administrative tasks.
Filter/Exclusion: Exclude processes where mshta.exe is used with a .hta file that is known to be part of a legitimate scheduled job or system maintenance script.
Scenario: Microsoft Update or Patch Installation
Description: A system is running a Microsoft update or patch installation that triggers the exploit signature due to similar code patterns.
Filter/Exclusion: Exclude processes where mshta.exe is used in the context of a Microsoft update or patch installation, such as during Windows Update or through the wuauclt.exe process.
Scenario: Admin Task Using mshta.exe for GUI Interaction
Description: An administrator uses mshta.exe to launch a GUI-based administrative tool or script for configuration purposes.
Filter/Exclusion: Exclude processes where mshta.exe is executed by a user with administrative privileges and is associated with known administrative tools or scripts.
Scenario: Malicious Tool Mimicking Legitimate Behavior
Description: A legitimate tool (e.g., PowerShell.exe, cmd.exe) is used in a way that mimics the behavior of the exploit, such as launching a GUI or executing scripts.
Filter/Exclusion: Exclude processes where the command line or script is known to be part of a legitimate tool or administrative task, such as PowerShell.exe with a known script path.
Scenario: Third-Party Software Using mshta.exe for GUI Integration
Description: A third-party application uses mshta.exe to integrate with a GUI or perform system-level tasks, which may trigger the exploit signature.
Filter/Exclusion: Exclude