Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatmediumtest

CVE-2023-40477 Potential Exploitation - WinRAR Application Crash

Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Aug 31e5a29b54-6fe7-4258-8a23-82960e31231a2023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'WinRAR.exe'
    filter_main_fixed_version:
        # TODO: fix this when the "lt" modifier is implemented for software versions
        AppVersion|startswith:
            - '6.23.'
            - '6.24.'
            - '6.25.'
            - '6.26.'
            - '7.'
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate crash for reasons other than exploitation of the vulnerability

References
1
Resolving title…
wildptr.io
2
Resolving title…
github.com
3
Resolving title…
rarlab.com
MITRE ATT&CK

Other

cve.2023-40477detection.emerging-threats
Rule Metadata
Rule ID
e5a29b54-6fe7-4258-8a23-82960e31231a
Status
test
Level
medium
Type
Emerging Threat
Created
Thu Aug 31
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml
Raw Tags
attack.executioncve.2023-40477detection.emerging-threats
View on GitHub