The detection rule identifies potential exploitation of CVE-2013-0074, which could indicate an adversary leveraging a known vulnerability to execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from legacy vulnerabilities that may still exist in their environment.
YARA Rule
rule cve_2013_0074
{
meta:
author = "Kaspersky Lab"
filetype = "Win32 EXE"
date = "2015-07-23"
version = "1.0"
strings:
$b2="Can't find Payload() address" ascii wide
$b3="/SilverApp1;component/App.xaml" ascii wide
$b4="Can't allocate ums after buf[]" ascii wide
$b5="------------ START ------------"
condition:
( (2 of ($b*)) )
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate system update using Windows Update
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or Windows Update in the process name or command line.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter by ProcessName containing veeam.exe or check for CommandLine containing Veeam Backup or backup.
Scenario: Admin task using PowerShell for log analysis
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing Get-EventLog or Get-Log.
Scenario: Antivirus scan using Bitdefender
Filter/Exclusion: Filter by ProcessName containing bdagent.exe or Bitdefender in the command line.
Scenario: System monitoring tool using Nagios Core
Filter/Exclusion: Filter by ProcessName containing nagios.exe or check for CommandLine containing nagios or check commands.