SigmaHQ/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
2019-11-12 23:12:27 +01:00

23 lines
748 B
YAML

title: Exploit for CVE-2017-8759
id: fdd84c68-a1f6-47c9-9477-920584f94905
description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
references:
- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
tags:
- attack.execution
- attack.t1203
author: Florian Roth
date: 2017/09/15
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: '*\WINWORD.EXE'
Image: '*\csc.exe'
condition: selection
falsepositives:
- Unknown
level: critical