Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathighexperimental

Potential Exploitation of RCE Vulnerability CVE-2025-33053

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jun 13abe06362-a5b9-4371-8724-ebd00cd48a042025
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_parent:
        ParentImage:
            - 'C:\Program Files\internet explorer\iediagcmd.exe'
            - 'C:\Windows\System32\CustomShellHost.exe'
    selection_child_current_dir:
        - CurrentDirectory|startswith: '\\\\'
        - CurrentDirectory|contains: '\DavWWWRoot\'
        - Image|contains: '\DavWWWRoot\'
        - Image|startswith: '\\\\'
    selection_child_img:
        Image|endswith:
            - '\route.exe'
            - '\netsh.exe'
            - '\makecab.exe'
            - '\dxdiag.exe'
            - '\ipconfig.exe'
            - '\explorer.exe'
    filter_main_system:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: all of selection_* and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
msrc.microsoft.com
2
Resolving title…
research.checkpoint.com
MITRE ATT&CK

Other

detection.emerging-threatscve.2025-33053
Related Rules
SimilarEmerging Threathigh

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.

Detects similar activity. Both rules may fire on overlapping events.

SimilarEmerging Threathigh

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
abe06362-a5b9-4371-8724-ebd00cd48a04
Status
experimental
Level
high
Type
Emerging Threat
Created
Fri Jun 13
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml
Raw Tags
attack.command-and-controlattack.executionattack.defense-evasionattack.t1218attack.lateral-movementattack.t1105detection.emerging-threatscve.2025-33053
View on GitHub