Adversaries may be attempting to identify and exploit the CVE 2017-11882 vulnerability to gain unauthorized access to systems. Proactively hunting for this behavior in Azure Sentinel can help detect early-stage reconnaissance activities and prevent potential exploitation of a known critical vulnerability.
YARA Rule
rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 {
meta:
author = "John Davison"
description = "Attempts to identify the exploit CVE 2017 11882"
reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about"
sample = "51cf2a6c0c1a29abca9fd13cb22421da"
score = 60
//file_name = "re:^stream_[0-9]+_[0-9]+.dat$"
strings:
$headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? }
$font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow
//$code = /[\x01-\x7F]{44}/
$winexec = { 12 0c 43 00 }
condition:
all of them and @font > @headers and @winexec == @font + 5 + 44
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a scheduled system cleanup task that includes command-line arguments resembling those used in the CVE-2017-11882 exploit.
Filter/Exclusion: Exclude processes initiated by the System or Local System account, or filter by command-line arguments containing clean, remove, or delete.
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that uses PowerShell to interact with the registry, which may include arguments similar to those in the exploit.
Filter/Exclusion: Exclude tasks that are scheduled under the Task Scheduler service or have a known name (e.g., CleanupTask, DiskCleanup).
Scenario: A Windows Admin Center or PowerShell ISE session is used by a security analyst to test or debug a script that includes commands matching the exploit’s signature.
Filter/Exclusion: Exclude processes running from the PowerShell ISE or Windows Admin Center application, or filter by user account (e.g., Administrator or SecurityAnalyst).
Scenario: A Windows Update or Group Policy client service is executing a script that includes command-line arguments that match the exploit’s pattern.
Filter/Exclusion: Exclude processes associated with wuauclt.exe, gupdate32.exe, or GroupPolicy services.
Scenario: A remote management tool such as PsExec or WinRM is used to execute a legitimate administrative command that includes arguments similar to the exploit.
Filter/Exclusion: Exclude processes initiated via PsExec or WinRM and filter by known remote management tools or user context (e.g., RemoteAdmin or DomainAdmin).