Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatlowtest

CVE-2023-40477 Potential Exploitation - .REV File Creation

Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Aug 31c3bd6c55-d495-4c34-918e-e03e8828c0742023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            - '\explorer.exe' # When extracted via context menu
            - '\WinRAR.exe'
        TargetFilename|endswith: '.rev'
    condition: selection
False Positives

Legitimate extraction of multipart or recovery volumes ZIP files

References
1
Resolving title…
wildptr.io
2
Resolving title…
github.com
3
Resolving title…
rarlab.com
MITRE ATT&CK

Other

cve.2023-40477detection.emerging-threats
Rule Metadata
Rule ID
c3bd6c55-d495-4c34-918e-e03e8828c074
Status
test
Level
low
Type
Emerging Threat
Created
Thu Aug 31
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml
Raw Tags
attack.executioncve.2023-40477detection.emerging-threats
View on GitHub