The Flash-CVE-2018-4848 rule detects potential exploitation of a zero-day vulnerability in Adobe Flash Player through processes associated with malicious domains using suspicious TLDs, indicative of targeted attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises leveraging outdated or unpatched Flash components.
KQL Query
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentFileName =~ "excel.exe"
| where RemoteUrl endswith ".kr"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl
| top 100 by Timestamp
id: 8e32bc35-72e6-4bc9-b3bb-2ee346c8acf0
name: Flash-CVE-2018-4848
description: |
This query checks for specific processes and domain TLD used in the CVE-2018-4878 flash 0day exploit attack reported by KrCERT.
CVE: CVE-2018-4878.
Read more here:.
Https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998.
Https://helpx.adobe.com/security/products/flash-player/apsa18-01.html.
Http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html.
Http://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign.
Tags: #exploit #CVE-2018-4878 #0day #Korea #Flash.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessParentFileName =~ "excel.exe"
| where RemoteUrl endswith ".kr"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl
| top 100 by Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Flash-based Application Update
Description: A system administrator is deploying a legitimate Flash update via a scheduled task using Adobe Flash Player Updater.
Filter/Exclusion: Exclude processes containing Adobe Flash Player Updater or AdobeUpdater.exe in the process name.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job runs a maintenance script that temporarily uses Flash-related tools (e.g., flashplayer.exe) for compatibility with legacy applications.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or with CommandLine containing schtasks.exe or at.exe.
Scenario: Flash-based Reporting Tool Usage
Description: A business intelligence tool (e.g., Tableau, Power BI) uses Flash for rendering reports, triggering the rule due to Flash process activity.
Filter/Exclusion: Exclude processes with Tableau.exe, PowerBI.exe, or FlashReport.exe in the process name.
Scenario: Admin Tool for Flash Content Testing
Description: An IT admin uses a tool like FlashTestTool.exe to validate Flash content on a test system.
Filter/Exclusion: Exclude processes with FlashTestTool.exe or FlashValidator.exe in the process name.
Scenario: Flash-based Legacy Application
Description: A legacy application (e.g., LegacyApp.exe) still uses Flash for rendering, causing the rule to trigger during normal operation.
Filter/Exclusion: Exclude processes with LegacyApp.exe or FlashLegacy.exe in the process name.