Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
2id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
3status: test
4description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
5references:
6 - https://github.com/Wh04m1001/CVE-2023-36874
7 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-08-23
10tags:
11 - attack.execution
12 - cve.2023-36874
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 OriginalFileName:
20 - 'Cmd.Exe'
21 - 'powershell_ise.EXE'
22 - 'powershell.exe'
23 Image|endswith: '\wermgr.exe'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
-
-
The Falcon Complete MDR team discovered and blocked a zero-day exploit (CVE-2023-36874) affecting Windows Error Reporting. Learn more about the discovery and response!
Read More
Related rules
- Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation