MS15-078 / MS15-077 exploit - Hacking Team code

Hunt Hypothesis

Adversaries may be leveraging the MS15-078 / MS15-077 exploit, commonly associated with the Hacking Team code, to gain unauthorized access to systems. Proactive hunting for this behavior in Azure Sentinel is critical to identify potential compromise from known exploit vectors before they lead to broader network infiltration.

YARA Rule

rule Exploit_MS15_077_078_HackingTeam: Exploit {
	meta:
		description = "MS15-078 / MS15-077 exploit - Hacking Team code"
		author = "Florian Roth"
		date = "2015-07-21"
		super_rule = 1
		hash1 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"
		hash2 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
	strings:
		$s1 = "\\SystemRoot\\system32\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "\\sysnative\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "CRTDLL.DLL" fullword ascii
		$s5 = "\\sysnative" fullword ascii /* PEStudio Blacklist: strings */
		$s6 = "InternetOpenA coolio, trying open %s" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 2500KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate use of ms15-078 exploit in a security testing lab
  Filter/Exclusion: process.name == "msfconsole" or process.parent.name == "msfconsole"

• Scenario: Scheduled job running HackingTeamCode.exe as part of a known patching tool
  Filter/Exclusion: process.name == "HackingTeamCode.exe" && process.parent.name == "patching_tool.exe"

• Scenario: Admin performing a legitimate system update using Microsoft’s own patching tools
  Filter/Exclusion: process.name == "wusa.exe" or process.name == "msuinstaller.exe"

• Scenario: Use of HackingTeamCode.exe by a security researcher for red team training
  Filter/Exclusion: process.name == "HackingTeamCode.exe" && user.name == "security_researcher"

• Scenario: Legitimate use of ms15-077 exploit in a penetration testing environment
  Filter/Exclusion: process.name == "metasploit" && process.parent.name == "test_env_launcher.exe"