Emerging Threatcriticalstable

Droppers Exploiting CVE-2017-11882

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Thu Nov 23Updated Sat Nov 27678eb5f4-8597-4be6-8be7-905e4234b53a2017

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\EQNEDT32.EXE'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0001 · Initial Access

Techniques

T1203 · Exploitation for Client Execution

Sub-techniques

T1204.002 · Malicious File T1566.001 · Spearphishing Attachment

Other

cve.2017-11882detection.emerging-threats

Rule Metadata

Rule ID

678eb5f4-8597-4be6-8be7-905e4234b53a

Status

stable

Level

critical

Type

Emerging Threat

Created

Thu Nov 23

Modified

Sat Nov 27

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml

Raw Tags

attack.executionattack.t1203attack.t1204.002attack.initial-accessattack.t1566.001cve.2017-11882detection.emerging-threats

View on GitHub