Emerging Threatcriticaltest

Potential CVE-2023-36884 Exploitation Pattern

Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

X__JuniorCreated Wed Jul 120066d244-c277-4c3e-88ec-9e7b777cc8bc2023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        cs-method: 'GET'
        c-uri|contains: '/MSHTML_C7/'
        c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

blogs.blackberry.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

cve.2023-36884detection.emerging-threats

Rule Metadata

Rule ID

0066d244-c277-4c3e-88ec-9e7b777cc8bc

Status

test

Level

critical

Type

Emerging Threat

Created

Wed Jul 12

Author

X__Junior

Path

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml

Raw Tags

attack.command-and-controlcve.2023-36884detection.emerging-threats

View on GitHub