/* Yara Rule Set Author: Florian Roth Date: 2017-09-14 Identifier: Detects malicious files in relation with CVE-2017-8759 Reference: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample */ /* Rule Set ----------------------------------------------------------------- */ rule CVE_2017_8759_Mal_HTA { meta: description = "Detects malicious files related to CVE-2017-8759 - file cmd.hta" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample" date = "2017-09-14" hash1 = "fee2ab286eb542c08fdfef29fabf7796a0a91083a0ee29ebae219168528294b5" id = "e53b5149-fc94-5da5-8e35-7f09a9cd79fd" strings: $x1 = "Error = Process.Create(\"powershell -nop cmd.exe /c" fullword ascii condition: ( uint16(0) == 0x683c and filesize < 1KB and all of them ) } rule CVE_2017_8759_Mal_Doc { meta: description = "Detects malicious files related to CVE-2017-8759 - file Doc1.doc" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample" date = "2017-09-14" modified = "2023-11-21" hash1 = "6314c5696af4c4b24c3a92b0e92a064aaf04fd56673e830f4d339b8805cc9635" id = "48587c13-7661-5987-8331-732115f7823b" strings: $s1 = "soap:wsdl=http://" ascii wide $s2 = "soap:wsdl=https://" ascii wide $s3 = "soap:wsdl=http%3" ascii wide $s4 = "soap:wsdl=https%3" ascii wide $c1 = "Project.ThisDocument.AutoOpen" fullword wide condition: uint16(0) == 0xcfd0 and filesize < 500KB and ( 1 of ($s*) and $c1 ) } rule CVE_2017_8759_SOAP_via_JS { meta: description = "Detects SOAP WDSL Download via JavaScript" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://twitter.com/buffaloverflow/status/907728364278087680" date = "2017-09-14" score = 60 id = "9e96cea3-4282-5f25-ad37-51bd69258790" strings: $s1 = "GetObject(\"soap:wsdl=https://" ascii wide nocase $s2 = "GetObject(\"soap:wsdl=http://" ascii wide nocase condition: ( filesize < 3KB and 1 of them ) } rule CVE_2017_8759_SOAP_Excel { meta: description = "Detects malicious files related to CVE-2017-8759" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://twitter.com/buffaloverflow/status/908455053345869825" date = "2017-09-15" score = 60 id = "940ec910-49a4-5271-97e4-8536db271b80" strings: $s1 = "|'soap:wsdl=" ascii wide nocase condition: ( filesize < 300KB and 1 of them ) } rule CVE_2017_8759_SOAP_txt { meta: description = "Detects malicious file in releation with CVE-2017-8759 - file exploit.txt" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/Voulnet/CVE-2017-8759-Exploit-sample" date = "2017-09-14" hash1 = "840ad14e29144be06722aff4cc04b377364eeed0a82b49cc30712823838e2444" id = "36474420-4fa9-5264-a46b-bb2434624710" strings: $s1 = /