The MSIETabularActivex rule detects potential adversary use of a malicious ActiveX control embedded in a Microsoft Installer (MSI) file, which could be used for code execution or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that may evade traditional detection methods.
YARA Rule
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
author = "@d3t0n4t0r"
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = "true"
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Microsoft System Center Configuration Manager (SCCM) deployment using MSI packages
Filter/Exclusion: Process:Microsoft\ConfigurationManager\MSIETabularActivex or Process:Microsoft\SystemCenter\ConfigurationManager
Scenario: Scheduled task running a legitimate MSI installer for software updates
Filter/Exclusion: Process:TaskScheduler\MSIETabularActivex or Process:WindowsTaskScheduler\MSIETabularActivex
Scenario: Microsoft Endpoint Configuration Manager (MECM) agent performing routine maintenance
Filter/Exclusion: Process:Microsoft\EndpointConfigurationManager\MSIETabularActivex or Process:Microsoft\MECM\MSIETabularActivex
Scenario: Admin using PowerShell to deploy software via Group Policy Object (GPO)
Filter/Exclusion: Process:PowerShell\MSIETabularActivex or Process:Microsoft\GroupPolicy\MSIETabularActivex
Scenario: Microsoft Intune client processing an MSI package for device compliance
Filter/Exclusion: Process:Microsoft\Intune\Client\MSIETabularActivex or Process:Microsoft\Intune\MSIETabularActivex