The detection identifies potential exploitation of CVE-2017-8759 through the presence of the malicious cmd.hta file, which could be used to execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks leveraging known vulnerabilities.
YARA Rule
rule CVE_2017_8759_Mal_HTA {
meta:
description = "Detects malicious files related to CVE-2017-8759 - file cmd.hta"
author = "Florian Roth"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "fee2ab286eb542c08fdfef29fabf7796a0a91083a0ee29ebae219168528294b5"
strings:
$x1 = "Error = Process.Create(\"powershell -nop cmd.exe /c" fullword ascii
condition:
( uint16(0) == 0x683c and filesize < 1KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a legitimate .hta file as part of a scheduled maintenance task.
Filter/Exclusion: Check for presence of PowerShell.exe in the process chain or use a filter like process.parent_process_name == "powershell.exe".
Scenario: A Windows Update or Microsoft Defender scan is generating a false positive due to a known benign .hta file being flagged.
Filter/Exclusion: Exclude files located in system directories such as C:\Windows\Temp\ or C:\Windows\System32\.
Scenario: A remote desktop session or terminal services user is executing a .hta file as part of a legitimate administrative task.
Filter/Exclusion: Filter by process.user or process.owner to exclude known admin accounts or use process.parent_process_name == "tsclient.exe" or "mstsc.exe".
Scenario: A scheduled task is configured to run a .hta file for system diagnostics or log cleanup.
Filter/Exclusion: Use a filter like process.parent_process_name == "schtasks.exe" or check for the presence of a known legitimate task name in the process command line.
Scenario: A third-party application (e.g., Microsoft Office or Adobe Acrobat) is generating a .hta file as part of its normal operation.
Filter/Exclusion: Exclude files with known application signatures or check for file paths associated with the application (e.g., C:\Program Files\Adobe\).