Exploit for CVE-2017-8759

 1title: Exploit for CVE-2017-8759
 2id: fdd84c68-a1f6-47c9-9477-920584f94905
 3status: test
 4description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
 5references:
 6    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
 7    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
 8author: Florian Roth (Nextron Systems)
 9date: 2017-09-15
10modified: 2021-11-27
11tags:
12    - attack.execution
13    - attack.t1203
14    - attack.t1204.002
15    - attack.initial-access
16    - attack.t1566.001
17    - cve.2017-8759
18    - detection.emerging-threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\WINWORD.EXE'
25        Image|endswith: '\csc.exe'
26    condition: selection
27falsepositives:
28    - Unknown
29level: critical

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• Free Automated Malware Analysis Service - powered by Falcon Sandbox

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

Related rules

• Droppers Exploiting CVE-2017-11882
• Exploit for CVE-2017-0261
• Download From Suspicious TLD - Blacklist
• Download From Suspicious TLD - Whitelist
• Suspicious HWP Sub Processes