added detect-exploitation-of-cve-2018-8653.md

Author: martyav

Execution/detect-exploitation-of-cve-2018-8653.md

@@ -0,0 +1,47 @@
+# Detect exploitation of the Internet Explorer remote code execution vulnerability, CVE-2018-8653
+
+This query was originally published in the threat analytics report, *CVE-2018-8653 scripting engine vulnerability*.
+
+[CVE-2018-8653](https://nvd.nist.gov/vuln/detail/CVE-2018-8653) is a remote code execution vulnerability found in the scripting engine for several releases of Internet Explorer. An attacker exploiting this CVE could use a malicious webpage to gain the same access rights as the currently logged-in user -- which is particularly problematic if the user is an administrator.
+
+Microsoft has since [addressed](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653) this vulnerability.
+
+The following queries detect possible exploitation of this CVE.
+
+## Query
+
+```Kusto
+​ProcessCreationEvents
+| where EventTime > ago(7d)
+and InitiatingProcessFileName =~ "svchost.exe"
+and InitiatingProcessCommandLine contains "WinHttpAutoProxySvc"
+and FileName !~ "pacjsworker.exe"
+and FileName !~ "svchost.exe"
+and FileName !~ "WerFault.exe"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access | v |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement |  |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team