Emerging Threathightest

Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader

Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

GregoryCreated Wed Oct 119cae055f-e1d2-4f81-b8a5-1986a68cdd842023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\FoxitPDFReader.exe'
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith: '.hta'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

Resolving title…

zerodayinitiative.com

Resolving title…

tarlogic.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1505.001 · SQL Stored Procedures

Other

cve.2023-27363detection.emerging-threats

Rule Metadata

Rule ID

9cae055f-e1d2-4f81-b8a5-1986a68cdd84

Status

test

Level

high

Type

Emerging Threat

Created

Wed Oct 11

Author

Gregory

Path

rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml

Raw Tags

attack.persistenceattack.t1505.001cve.2023-27363detection.emerging-threats

View on GitHub