Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Sigma rule (View on GitHub)
1title: Droppers Exploiting CVE-2017-11882
2id: 678eb5f4-8597-4be6-8be7-905e4234b53a
3status: stable
4description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
5references:
6 - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
7 - https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
8 - https://github.com/embedi/CVE-2017-11882
9author: Florian Roth (Nextron Systems)
10date: 2017/11/23
11modified: 2021/11/27
12tags:
13 - attack.execution
14 - attack.t1203
15 - attack.t1204.002
16 - attack.initial_access
17 - attack.t1566.001
18 - cve.2017.11882
19 - detection.emerging_threats
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 ParentImage|endswith: '\EQNEDT32.EXE'
26 condition: selection
27fields:
28 - CommandLine
29falsepositives:
30 - Unknown
31level: critical
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
We recently ear about a 17 year old MS Office RCE vulnerability, discovered and named "Skeleton in the closet" by @_embedi_ , a company specializing in cybersecurity solutions for embedded devices. That vulnerabily is extremelly dangerous because it : works with all the Microsoft Office versions rel
Read More -
Proof-of-Concept exploits for CVE-2017-11882. Contribute to embedi/CVE-2017-11882 development by creating an account on GitHub.
Read More
Related rules
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- Ursnif Malware C2 URL Pattern
- Download From Suspicious TLD - Whitelist
- Download From Suspicious TLD - Blacklist