Emerging Threathightest

Potential CVE-2303-36884 URL Request Pattern Traffic

Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

X__JuniorCreated Wed Jul 12d9365e39-febd-4a4b-8441-3ca91bb9d3332023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    # Examples:
    #   hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
    #   104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
    selection:
        cs-method: 'GET'
        c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

blogs.blackberry.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

cve.2023-36884detection.emerging-threats

Rule Metadata

Rule ID

d9365e39-febd-4a4b-8441-3ca91bb9d333

Status

test

Level

high

Type

Emerging Threat

Created

Wed Jul 12

Author

X__Junior

Path

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml

Raw Tags

attack.command-and-controlcve.2023-36884detection.emerging-threats

View on GitHub