Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location

Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
 2id: 92389a99-5215-43b0-a09f-e334453b2ed3
 3status: test
 4description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
 5references:
 6    - https://github.com/Wh04m1001/CVE-2023-36874
 7    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/08/23
10tags:
11    - attack.execution
12    - cve.2023.36874
13    - detection.emerging_threats
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection:
19        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
20        TargetFilename|endswith: '\Report.wer'
21    filter_main_locations:
22        TargetFilename|contains:
23            # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
24            - '\ReportArchive\AppCrash_'
25            - '\ReportArchive\AppHang_'
26            - '\ReportArchive\Critical_'
27            - '\ReportArchive\Kernel_'
28            - '\ReportArchive\NonCritical_'
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - Unknown
32level: medium

References

Related rules

to-top