From 20f9dbb31c65090515979a81553316201bc865e2 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 15 Sep 2017 15:49:05 +0200
Subject: [PATCH] CVE-2017-8759 - Winword.exe > csc.exe

---
 .../sysmon/sysmon_vuln_cve_2017_8759.yml      | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml

diff --git a/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml
new file mode 100644
index 000000000..061db9210
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_vuln_cve_2017_8759.yml
@@ -0,0 +1,19 @@
+title: Exploit for CVE-2017-8759 
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
+reference:
+  - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+  - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+author: Florian Roth
+date: 15.09.2017
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\WINWORD.EXE'
+        Image: '*\csc.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical