Emerging Threathightest

Potential CVE-2023-36884 Exploitation - URL Marker

Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

X__JuniorCreated Wed Jul 12e59f71ff-c042-4f7a-8a82-8f53beea817e2023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        cs-method: 'GET'
        c-uri|contains: '/MSHTML_C7/'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Other

cve.2023-36884detection.emerging-threats

Rule Metadata

Rule ID

e59f71ff-c042-4f7a-8a82-8f53beea817e

Status

test

Level

high

Type

Emerging Threat

Created

Wed Jul 12

Author

Path

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml

Raw Tags

attack.command-and-controlcve.2023-36884detection.emerging-threats