Adversaries may be leveraging a known exploit for CVE_2017_11882 through malicious documents to gain unauthorized access to systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from targeted attacks using outdated vulnerabilities.
YARA Rule
rule Maldoc_CVE_2017_11882 : Exploit {
meta:
description = "Detects maldoc With exploit for CVE_2017_11882"
author = "Marc Salinas (@Bondey_m)"
reference = "c63ccc5c08c3863d7eb330b69f96c1bcf1e031201721754132a4c4d0baff36f8"
date = "2017-10-20"
strings:
$doc = "d0cf11e0a1b11ae1"
$s0 = "Equation"
$s1 = "1c000000020"
$h0 = {1C 00 00 00 02 00}
condition:
(uint32be(0) == 0x7B5C7274 or $doc at 0 ) and $s0 and ($h0 or $s1)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate system update via Windows Update
Filter/Exclusion: process.name != "wusa.exe" or process.parent.name != "svchost.exe"
Scenario: Scheduled execution of Microsoft Patch Management tool
Filter/Exclusion: process.name != "mpcmdrun.exe" or process.parent.name != "taskeng.exe"
Scenario: Admin running a PowerShell script to test exploit mitigation
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "explorer.exe" and process.command_line contains "Test-NetConnection"
Scenario: Malicious file analysis in a sandbox environment
Filter/Exclusion: process.name != "sandboxed_process.exe" or process.parent.name != "sandbox_launcher.exe"
Scenario: Legitimate use of mshta.exe for internal HTML-based reporting
Filter/Exclusion: process.name != "mshta.exe" or process.parent.name != "explorer.exe" and process.command_line contains "about:blank"