Emerging Threatcriticaltest

Exploit for CVE-2017-8759

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Fri Sep 15Updated Sat Nov 27fdd84c68-a1f6-47c9-9477-920584f949052017

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\WINWORD.EXE'
        Image|endswith: '\csc.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0001 · Initial Access

Techniques

T1203 · Exploitation for Client Execution

Sub-techniques

T1204.002 · Malicious File T1566.001 · Spearphishing Attachment

Other

cve.2017-8759detection.emerging-threats

Rule Metadata

Rule ID

fdd84c68-a1f6-47c9-9477-920584f94905

Status

test

Level

critical

Type

Emerging Threat

Created

Fri Sep 15

Modified

Sat Nov 27

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml

Raw Tags

attack.executionattack.t1203attack.t1204.002attack.initial-accessattack.t1566.001cve.2017-8759detection.emerging-threats

View on GitHub