Emerging Threatmediumtest

Potential CVE-2023-36884 Exploitation - File Downloads

Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

X__JuniorCreated Wed Jul 126af1617f-c179-47e3-bd66-b28034a1052d2023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        cs-method: 'GET'
        c-uri|contains:
            - '/ex001.url'
            - '/file001.search-ms'
            - '/file001.url'
            - '/file001.vbs'
            - '/file1.mht'
            - '/o2010.asp'
            - '/redir_obj.html'
            - '/RFile.asp'
            - '/zip_k.asp'
            - '/zip_k2.asp'
            - '/zip_k3.asp'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

blogs.blackberry.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

cve.2023-36884detection.emerging-threats

Rule Metadata

Rule ID

6af1617f-c179-47e3-bd66-b28034a1052d

Status

test

Level

medium

Type

Emerging Threat

Created

Wed Jul 12

Author

X__Junior

Path

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml

Raw Tags

attack.command-and-controlcve.2023-36884detection.emerging-threats

View on GitHub