valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
725ab99e90
SigmaHQ/rules/windows/process_creation/win_exploit_cve_2017_8759.yml

19 lines
659 B
YAML
Raw Normal View History

Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
title: Exploit for CVE-2017-8759
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 13:49:05 +00:00
description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Change "reference" to "references" to match new schema
2018-01-27 23:12:19 +00:00
references:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 13:49:05 +00:00
author: Florian Roth
date: 15.09.2017
logsource:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
category: process_creation
product: windows
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 13:49:05 +00:00
detection:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
selection:
ParentImage: '*\WINWORD.EXE'
Image: '*\csc.exe'
condition: selection
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 13:49:05 +00:00
falsepositives:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
- Unknown
CVE-2017-8759 - Winword.exe > csc.exe
2017-09-15 13:49:05 +00:00
level: critical
Reference in New Issue Copy Permalink