SigmaHQ/rules/windows/process_creation/win_exploit_cve_2015_1641.yml

title: Exploit for CVE-2015-1641
id: 7993792c-5ce2-4475-a3db-a3a5539827ef
status: experimental
description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
references:
    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
author: Florian Roth
date: 2018/02/22
tags:
    - attack.defense_evasion
    - attack.t1036.005
    - attack.t1036  # an old one
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\WINWORD.EXE'
        Image|endswith: '\MicroScMgmt.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`title: Exploit for CVE-2015-1641`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 7993792c-5ce2-4475-a3db-a3a5539827ef`
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`status: experimental`
			`description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/`
			`- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100`
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`author: Florian Roth`
			`date: 2018/02/22`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00			`- attack.t1036.005`
			`- attack.t1036 # an old one`
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
Update win_exploit_cve_2015_1641.yml 2020-10-15 20:50:55 +00:00			`ParentImage\|endswith: '\WINWORD.EXE'`
			`Image\|endswith: '\MicroScMgmt.exe'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`condition: selection`
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Unknown`
Rule: CVE-2015-1641 2018-02-22 15:59:40 +00:00			`level: critical`