Emerging Threatmediumtest
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)Created Thu Jul 138023d3a2-dcdc-44da-8fa9-5c7906e55b382023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
TargetFilename|endswith: '\file001.url'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Other
cve.2023-36884detection.emerging-threats
Rule Metadata
Rule ID
8023d3a2-dcdc-44da-8fa9-5c7906e55b38
Status
test
Level
medium
Type
Emerging Threat
Created
Thu Jul 13
Path
rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml
Raw Tags
attack.persistenceattack.defense-evasioncve.2023-36884detection.emerging-threats