Since Microsoft released November patches last week where CVE-2017-11882 was addressed, I've been trying to get a sample in order to perform some checks for the vulnerability. Today thanks to Corsin Camichel I got the PoC
There is some information about this PoC in this blog post
At the moment the detection rate of the malicious files used in this analysis is really low.
Office doesn't spawn any unusual process while exploiting this vulnerability, hence a Use Case which monitors unusual processes spawned by Office will no detect the exploitation of this issue.
However, in this case, we need to pay attention to the the equation tool process "EQNEDT32.EXE". This process is the one who spawns other processes, hence monitoring those child process will detect any potential exploitation.
A basic Use case to detect is below.
A basic Use case to detect is below.
Time for monitor your EQNEDT32.EXE processes :)