Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
2id: 92389a99-5215-43b0-a09f-e334453b2ed3
3status: experimental
4description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
5references:
6 - https://github.com/Wh04m1001/CVE-2023-36874
7 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/08/23
10tags:
11 - attack.execution
12 - cve.2023.36874
13 - detection.emerging_threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
20 TargetFilename|endswith: '\Report.wer'
21 filter_main_locations:
22 TargetFilename|contains:
23 # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
24 - '\ReportArchive\AppCrash_'
25 - '\ReportArchive\AppHang_'
26 - '\ReportArchive\Critical_'
27 - '\ReportArchive\Kernel_'
28 - '\ReportArchive\NonCritical_'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Unknown
32level: medium
References
-
-
The Falcon Complete MDR team discovered and blocked a zero-day exploit (CVE-2023-36874) affecting Windows Error Reporting. Learn more about the discovery and response!
Read More
Related rules
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
- CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
- CVE-2023-40477 Potential Exploitation - .REV File Creation
- CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
- Potential BlackByte Ransomware Activity