WPS Office Exploitation via DLL Hijack

Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/29"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/08/29"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful 
11exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.
12"""
13from = "now-9m"
14index = [ "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "WPS Office Exploitation via DLL Hijack"
18references = [
19 "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", 
20 "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"
21 ]
22risk_score = 73
23rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb"
24severity = "high"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Initial Access",
30    "Tactic: Execution",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and 
39(
40 (event.category == "library" and 
41  ?dll.path : 
42     ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", 
43      "\\Device\\Mup\\**", "\\\\*")) or 
44
45  ((event.category == "process" and event.action : "Image loaded*") and 
46  ?file.path : 
47     ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", 
48      "\\Device\\Mup\\**", "\\\\*"))
49)
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1203"
57name = "Exploitation for Client Execution"
58reference = "https://attack.mitre.org/techniques/T1203/"
59
60
61[rule.threat.tactic]
62id = "TA0002"
63name = "Execution"
64reference = "https://attack.mitre.org/tactics/TA0002/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1189"
69name = "Drive-by Compromise"
70reference = "https://attack.mitre.org/techniques/T1189/"
71
72
73[rule.threat.tactic]
74id = "TA0001"
75name = "Initial Access"
76reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top