Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
Sigma rule (View on GitHub)
1title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
2id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
3status: test
4description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
5references:
6 - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
7 - https://www.zerodayinitiative.com/advisories/ZDI-23-491/
8 - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
9author: Gregory
10date: 2023-10-11
11tags:
12 - attack.persistence
13 - attack.t1505.001
14 - cve.2023-27363
15 - detection.emerging-threats
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection:
21 Image|endswith: '\FoxitPDFReader.exe'
22 TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
23 TargetFilename|endswith: '.hta'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Full disclosures for CVE ids, proofs of concept, exploits, 0day bugs and so on. - j00sean/SecBugs
Read More -
Foxit PDF Reader exportXFAData Exposed Dangerous Method Remote Code Execution Vulnerability
Read More -
Vulnerability CVE-2023-27363 allows for remote code execution in Foxit Reader by creating a specially crafted pdf
Read More
Related rules
- ChromeLoader Malware Execution
- DarkGate - User Created Via Net.EXE
- Diamond Sleet APT Scheduled Task Creation
- Serpent Backdoor Payload Execution Via Scheduled Task
- COLDSTEEL Persistence Service Creation