Adversaries may use the exploit.txt file associated with CVE-2017-8759 to execute arbitrary code or escalate privileges on compromised systems. Proactively hunting for this file in Azure Sentinel helps identify potential exploitation attempts leveraging known vulnerabilities before they lead to broader compromise.
YARA Rule
rule CVE_2017_8759_SOAP_txt {
meta:
description = "Detects malicious file in releation with CVE-2017-8759 - file exploit.txt"
author = "Florian Roth"
reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample"
date = "2017-09-14"
hash1 = "840ad14e29144be06722aff4cc04b377364eeed0a82b49cc30712823838e2444"
strings:
$s1 = /<soap:address location="http[s]?:\/\/[^"]{8,140}.hta"/ ascii wide
$s2 = /<soap:address location="http[s]?:\/\/[^"]{8,140}mshta.exe"/ ascii wide
condition:
( filesize < 200KB and 1 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled backup and the backup script includes a file named exploit.txt for testing purposes.
Filter/Exclusion: Check for file paths containing backup/ or backup_script/ in the file system event logs.
Scenario: A developer is using a tool like Burp Suite to test web application security and saves a file named exploit.txt temporarily in the project directory.
Filter/Exclusion: Exclude files located in directories containing dev/, project/, or test/ in the file system event logs.
Scenario: A scheduled job using PowerShell runs a script that generates a temporary exploit.txt file for logging or debugging purposes.
Filter/Exclusion: Filter out files created by processes with the executable name powershell.exe or by users with administrative privileges.
Scenario: An IT admin is using Sysinternals Process Explorer to analyze system behavior and manually creates a file named exploit.txt for analysis.
Filter/Exclusion: Exclude files created by processes with the parent process name explorer.exe or Process Explorer.exe.
Scenario: A security tool like OSSEC or Snort generates a log file named exploit.txt as part of its alert output or rule testing.
Filter/Exclusion: Exclude files located in directories such as /var/log/, /etc/, or any directory with a .log or .txt suffix that matches known log file patterns.