The hypothesis is that the detection rule identifies potential exploitation of the CVE-2015-5119 vulnerability through suspicious file execution or network activity indicative of an adversary leveraging this outdated exploit. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from legacy vulnerabilities that may still exist in their environment.
YARA Rule
rule Flash_CVE_2015_5119_APT3 : Exploit {
meta:
description = "Exploit Sample CVE-2015-5119"
author = "Florian Roth"
score = 70
date = "2015-08-01"
strings:
$s0 = "HT_exploit" fullword ascii
$s1 = "HT_Exploit" fullword ascii
$s2 = "flash_exploit_" ascii
$s3 = "exp1_fla/MainTimeline" ascii fullword
$s4 = "exp2_fla/MainTimeline" ascii fullword
$s5 = "_shellcode_32" fullword ascii
$s6 = "todo: unknown 32-bit target" fullword ascii
condition:
uint16(0) == 0x5746 and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that mimics the behavior of the CVE-2015-5119 exploit, such as using mshta or cmd.exe for execution.
Filter/Exclusion: Check for task scheduler or schtasks in the command line or process tree. Exclude processes with mshta or cmd.exe that are associated with known maintenance tasks.
Scenario: Admin Performing PowerShell Script Execution
Description: An administrator is running a PowerShell script that uses mshta to execute a command, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Filter by powershell.exe and check for Invoke-Expression or IEX in the command line. Exclude scripts with known admin tools or internal scripts.
Scenario: Legacy Application Using mshta for GUI Interaction
Description: A legacy enterprise application uses mshta to display HTML-based GUI elements, which may be flagged due to the presence of mshta in the command line.
Filter/Exclusion: Check for mshta in the command line and exclude processes associated with known legacy applications or internal tools.
Scenario: User Running a Malicious-Looking but Legitimate Tool
Description: A user runs a legitimate tool (e.g., regsvr32, msiexec) that is being misinterpreted by the rule as an exploit due to similar command-line arguments.
Filter/Exclusion: Filter by known legitimate tools and exclude processes that match the command-line patterns of these tools.
Scenario: Automated Patching or Configuration Management Job
Description: An automated patching or configuration management job (e.g., using SCCM, Ansible,