WPS Office Exploitation via DLL Hijack
Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/29"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/08/29"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful
11exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.
12"""
13from = "now-9m"
14index = [ "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "WPS Office Exploitation via DLL Hijack"
18references = [
19 "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/",
20 "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"
21 ]
22risk_score = 73
23rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb"
24severity = "high"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Initial Access",
30 "Tactic: Execution",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and
39(
40 (event.category == "library" and
41 ?dll.path :
42 ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*",
43 "\\Device\\Mup\\**", "\\\\*")) or
44
45 ((event.category == "process" and event.action : "Image loaded*") and
46 ?file.path :
47 ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*",
48 "\\Device\\Mup\\**", "\\\\*"))
49)
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1203"
57name = "Exploitation for Client Execution"
58reference = "https://attack.mitre.org/techniques/T1203/"
59
60
61[rule.threat.tactic]
62id = "TA0002"
63name = "Execution"
64reference = "https://attack.mitre.org/tactics/TA0002/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1189"
69name = "Drive-by Compromise"
70reference = "https://attack.mitre.org/techniques/T1189/"
71
72
73[rule.threat.tactic]
74id = "TA0001"
75name = "Initial Access"
76reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- ScreenConnect Server Spawning Suspicious Processes
- Microsoft Exchange Worker Spawning Suspicious Processes
- Suspicious Explorer Child Process
- Unusual Execution via Microsoft Common Console File
- Windows Script Interpreter Executing Process via WMI