Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
2id: ad0960eb-0015-4d16-be13-b3d9f18f1342
3status: test
4description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
5references:
6 - https://github.com/Wh04m1001/CVE-2023-36874
7 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-08-23
10modified: 2025-01-13
11tags:
12 - attack.execution
13 - cve.2023-36874
14 - detection.emerging-threats
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|endswith: '\wermgr.exe'
21 filter_main_locations:
22 TargetFilename|contains:
23 - ':\$WINDOWS.~BT\NewOS\'
24 - ':\$WinREAgent\' # From "wuauclt.exe"
25 - ':\Windows\servicing\LCU\'
26 - ':\Windows\System32\'
27 - ':\Windows\SysWOW64\'
28 - ':\Windows\WinSxS\'
29 - ':\WUDownloadCache\' # Windows Update Download Cache
30 - ':\Windows\SoftwareDistribution\Download\'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
- Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
- Potential Raspberry Robin CPL Execution Activity
- Qakbot Regsvr32 Calc Pattern
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process