Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation

Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
 2id: ad0960eb-0015-4d16-be13-b3d9f18f1342
 3status: test
 4description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
 5references:
 6    - https://github.com/Wh04m1001/CVE-2023-36874
 7    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-08-23
10modified: 2023-10-08
11tags:
12    - attack.execution
13    - cve.2023-36874
14    - detection.emerging-threats
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection:
20        TargetFilename|endswith: '\wermgr.exe'
21    filter_main_locations:
22        TargetFilename|contains:
23            - ':\$WINDOWS.~BT\NewOS\'
24            - ':\$WinREAgent\' # From "wuauclt.exe"
25            - ':\Windows\servicing\LCU\'
26            - ':\Windows\System32\'
27            - ':\Windows\SysWOW64\'
28            - ':\Windows\WinSxS\'
29            - ':\WUDownloadCache\' # Windows Update Download Cache
30    condition: selection and not 1 of filter_main_*
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top