Attempts to identify the exploit CVE 2017 11882

Hunt Hypothesis

Adversaries may be attempting to identify and exploit the CVE 2017-11882 vulnerability to gain unauthorized access to systems. Proactively hunting for this behavior in Azure Sentinel can help detect early-stage reconnaissance efforts and prevent potential compromise.

YARA Rule

rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 {
    meta:
        author = "John Davison"
        description = "Attempts to identify the exploit CVE 2017 11882"
        reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
        sample = "51cf2a6c0c1a29abca9fd13cb22421da"
        score = 60
        //file_ext = "rtf"
    strings:
        $headers = { 31 63 30 30 30 30 30 30  30 32 30 30 ?? ?? ?? ??
                     61 39 30 30 30 30 30 30  ?? ?? ?? ?? ?? ?? ?? ??
                     ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??
                     ?? ?? ?? ?? ?? ?? ?? ??  30 33 30 31 30 31 30 33
                     ?? ?? }
        $font = { 30 61 30 31 30 38 35 61  35 61 }
        $winexec = { 31 32 30 63 34 33 30 30 }
    condition:
        all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled system cleanup task that inadvertently matches the signature of the CVE 2017-11882 exploit.
  Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe and CommandLine containing Cleanup or ScheduledTask.

• Scenario: A Windows Update installation process triggers the detection rule due to the use of similar command-line arguments as the exploit.
  Filter/Exclusion: Exclude processes with ProcessName equal to wuauclt.exe or svchost.exe associated with Windows Update services.

• Scenario: A third-party backup tool (e.g., Veeam Backup & Replication) uses a script that includes a command similar to the exploit’s payload due to a misconfigured script.
  Filter/Exclusion: Exclude processes with ProcessName equal to veeam.exe or backupscript.bat if they are known to be part of the backup workflow.

• Scenario: A system monitoring tool (e.g., Splunk or SolarWinds) runs a script that includes a command-line argument matching the exploit’s signature during log parsing.
  Filter/Exclusion: Exclude processes with ProcessName equal to splunkd.exe or solarwinds.exe and CommandLine containing logparse or monitor.

• Scenario: A devops pipeline (e.g., Jenkins or Ansible) executes a script that includes a command similar to the exploit due to a misconfigured or outdated playbook.
  Filter/Exclusion: Exclude processes with ProcessName equal to java.exe (for Jenkins) or ansible.exe and CommandLine containing pipeline or playbook.