Fireeye has published an article on the zero day used by leveraging CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. WSDL parser does not perform the right validation if provided data that contains a CRLF sequence. This allows the attacker to inject a System.Diagnostics.Process.Start method. The generated code will be compiled by csc.exe of .NET framework and loaded by office executable as a DLL.
Wondering if Netwitness Endpoint (ECAT) able to detect this zero day attack. Appreciate for your view or sharing if you manage to achieve some exploits.