Emerging Threatmediumtest

Exploit for CVE-2017-0261

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Thu Feb 22Updated Sat Nov 27864403a1-36c9-40a2-a982-4c9a45f7d8332017

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\WINWORD.EXE'
        Image|contains: '\FLTLDR.exe'
    condition: selection

False Positives

Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)

References

MITRE ATT&CK

Tactics

Techniques

Sub-techniques

Other

cve.2017-0261detection.emerging-threats

Rule Metadata

Rule ID

864403a1-36c9-40a2-a982-4c9a45f7d833

Status

test

Level

medium

Type

Emerging Threat

Created

Thu Feb 22

Modified

Sat Nov 27

Author

Path

rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml

Raw Tags

attack.executionattack.t1203attack.t1204.002attack.initial-accessattack.t1566.001cve.2017-0261detection.emerging-threats