The detection rule identifies potential exploitation of CVE-2017-11882 by detecting suspicious behavior associated with the vulnerability, such as unusual process execution or network activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from adversaries leveraging this known vulnerability.
YARA Rule
rule potential_CVE_2017_11882
{
meta:
author = "ReversingLabs"
reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html"
strings:
$docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$equation1 = "Equation Native" wide ascii
$equation2 = "Microsoft Equation 3.0" wide ascii
$mshta = "mshta"
$http = "http://"
$https = "https://"
$cmd = "cmd"
$pwsh = "powershell"
$exe = ".exe"
$address = { 12 0C 43 00 }
condition:
$docfilemagic at 0 and any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: Legitimate system update using wsusutil.exe
Description: A Windows Update Standalone Installer (WSUS) utility is used to apply updates to a Windows Server.
Filter/Exclusion: Check for the presence of wsusutil.exe in the process tree and ensure the command line includes wsusutil.exe /import or similar update-related arguments.
Scenario: Scheduled backup task using vssadmin.exe
Description: A scheduled backup job uses Volume Shadow Copy Service (VSS) to create snapshots, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Filter processes where the executable is vssadmin.exe and the command line includes vssadmin create shadow or similar backup-related commands.
Scenario: Admin task using taskkill.exe to terminate a service
Description: An administrator manually terminates a service using taskkill.exe with a service name, which may match the rule’s signature.
Filter/Exclusion: Filter processes where the executable is taskkill.exe and the command line includes /svc or /pid with known service names.
Scenario: PowerShell script using Start-Process to launch a legitimate tool
Description: A PowerShell script uses Start-Process to launch a known legitimate tool (e.g., notepad.exe, cmd.exe) which may trigger the rule due to command-line similarity.
Filter/Exclusion: Filter processes where the parent process is a PowerShell script and the child process is a known legitimate tool.
Scenario: Log file parsing using findstr.exe or find.exe
Description: A system administrator uses findstr.exe or find.exe to search through log files for specific strings, which may match the rule’s pattern.
**Filter/