Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
2id: 92389a99-5215-43b0-a09f-e334453b2ed3
3status: test
4description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
5references:
6 - https://github.com/Wh04m1001/CVE-2023-36874
7 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-08-23
10tags:
11 - attack.execution
12 - cve.2023-36874
13 - detection.emerging-threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
20 TargetFilename|endswith: '\Report.wer'
21 filter_main_locations:
22 TargetFilename|contains:
23 # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
24 - '\ReportArchive\AppCrash_'
25 - '\ReportArchive\AppHang_'
26 - '\ReportArchive\Critical_'
27 - '\ReportArchive\Kernel_'
28 - '\ReportArchive\NonCritical_'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Unknown
32level: medium
References
Related rules
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation