Adversaries may exploit CVE-2018-8653 to execute arbitrary code remotely via a vulnerable scripting engine, allowing unauthorized access and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of an unpatched critical vulnerability.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
and InitiatingProcessFileName =~ "svchost.exe"
and InitiatingProcessCommandLine contains "WinHttpAutoProxySvc"
and FileName !~ "pacjsworker.exe"
and FileName !~ "svchost.exe"
and FileName !~ "WerFault.exe"
id: 1f541cc3-2c46-4f2a-9b4b-e082f25ec369
name: detect-exploitation-of-cve-2018-8653
description: |
This query was originally published in the threat analytics report, CVE-2018-8653 scripting engine vulnerability.
CVE-2018-8653 is a remote code execution vulnerability found in the scripting engine for several releases of Internet Explorer. An attacker exploiting this CVE could use a malicious webpage to gain the same access rights as the currently logged-in user -- which is particularly problematic if the user is an administrator.
Microsoft has since addressed this vulnerability.
The following queries detect possible exploitation of this CVE.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-8653
https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8653
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Initial access
- Execution
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
and InitiatingProcessFileName =~ "svchost.exe"
and InitiatingProcessCommandLine contains "WinHttpAutoProxySvc"
and FileName !~ "pacjsworker.exe"
and FileName !~ "svchost.exe"
and FileName !~ "WerFault.exe"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to perform routine system maintenance, such as log cleanup or service restarts.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:*-Cleanup* or process.command_line:*Restart-Service*
Scenario: Admin using Windows Script Host (WSH) for configuration changes
Description: An administrator uses a .vbs or .wsf script to make configuration changes across the enterprise, such as updating group policies or registry settings.
Filter/Exclusion: process.parent_process_name:"cmd.exe" or process.command_line:*cscript* or process.command_line:*wscript*
Scenario: Use of Microsoft Scripting Engine for automation in DevOps pipelines
Description: A DevOps pipeline uses PowerShell or VBScript to automate deployment tasks, such as deploying applications or configuring servers.
Filter/Exclusion: process.parent_process_name:"Azure DevOps" or "Jenkins" or process.command_line:*Deploy-Application*
Scenario: Legitimate use of Windows Scripting for user account management
Description: A script is used to manage user accounts, such as enabling/disabling users or resetting passwords, via the scripting engine.
Filter/Exclusion: process.command_line:*net user* or process.command_line:*Enable-User* or process.parent_process_name:"Local System"
Scenario: Use of scripting engine for generating reports in enterprise applications
Description: A reporting tool or application uses scripting to generate reports, such as exporting data to CSV or PDF.
Filter/Exclusion: process.parent_process_name:"Microsoft SQL Server" or "Excel" or "Power BI" or `process