[metadata] creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" updated_date = "2024/08/29" [rule] author = ["Elastic"] description = """ Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler. """ from = "now-9m" index = [ "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "WPS Office Exploitation via DLL Hijack" references = [ "https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew" ] risk_score = 73 rule_id = "ac6bc744-e82b-41ad-b58d-90654fa4ebfb" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" query = ''' any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and ( (event.category == "library" and ?dll.path : ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", "\\Device\\Mup\\**", "\\\\*")) or ((event.category == "process" and event.action : "Image loaded*") and ?file.path : ("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*", "\\Device\\Mup\\**", "\\\\*")) ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/"