[SANS Institute and Anvilogic Present] The 2025 State of Detection Engineering Report
Join the waitlist
Skip to main content
On-Demand Webinar

Abuse EQNEDT32.EXE CVE-2017-11882

Threats + Use Case
On-Demand Webinar

Abuse EQNEDT32.EXE CVE-2017-11882

Detection Strategies

Overview of CVE-2017-11882

CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory-corruption vulnerabilities, the attacker can easily alter the flow of program execution. This use case is geared towards detecting the potential malicious Microsoft Office payload(CVE-2017-11882) on host

References

Request Access to Use Case Repository

Tags

Execution

APT32

APT41

Splunk

Cobalt Group

Frankenstein

Inception

Leviathan

Patchwork

Tropic Trooper

Exploitation for Client Execution

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[SANS Institute and Anvilogic Present] The 2025 State of Detection Engineering Report
Join the waitlist
Skip to main content
White Paper

Abuse EQNEDT32.EXE CVE-2017-11882

Threats + Use Case
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[SANS Institute and Anvilogic Present] The 2025 State of Detection Engineering Report
Join the waitlist
Skip to main content
May 5, 2021

Abuse EQNEDT32.EXE CVE-2017-11882

Threats + Use Case

Overview of CVE-2017-11882

CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory-corruption vulnerabilities, the attacker can easily alter the flow of program execution. This use case is geared towards detecting the potential malicious Microsoft Office payload(CVE-2017-11882) on host

References

Request Access to Use Case Repository

Tags

Execution

APT32

APT41

Splunk

Cobalt Group

Frankenstein

Inception

Leviathan

Patchwork

Tropic Trooper

Exploitation for Client Execution

Build Detection You Want,
Where You Want

Build Detection You Want,
Where You Want

Book a Demo