Emerging Threathightest

CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File

Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 30e4556676-fc5c-4e95-8c39-5ef27791541f2023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\WinRAR.exe'
        TargetFilename|contains: '\AppData\Local\Temp\Rar$'
        TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Other

cve.2023-38331detection.emerging-threats

Related Rules

SimilarEmerging Threathigh

CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

e4556676-fc5c-4e95-8c39-5ef27791541f

Status

test

Level

high

Type

Emerging Threat

Created

Wed Aug 30

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml

Raw Tags

attack.executioncve.2023-38331detection.emerging-threats

View on GitHub