Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Sigma rule (View on GitHub)
1title: Exploit for CVE-2017-0261
2id: 864403a1-36c9-40a2-a982-4c9a45f7d833
3status: test
4description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
5references:
6 - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
7author: Florian Roth (Nextron Systems)
8date: 2018-02-22
9modified: 2021-11-27
10tags:
11 - attack.execution
12 - attack.t1203
13 - attack.t1204.002
14 - attack.initial-access
15 - attack.t1566.001
16 - cve.2017-0261
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\WINWORD.EXE'
24 Image|contains: '\FLTLDR.exe'
25 condition: selection
26falsepositives:
27 - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
28level: medium
References
-
In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a zero-day and one was patched weeks before the attack ...
Read More
Related rules
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-8759
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- Suspicious HWP Sub Processes