Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution

Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
 2id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
 3status: test
 4description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
 5references:
 6    - https://github.com/Wh04m1001/CVE-2023-36874
 7    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/08/23
10tags:
11    - attack.execution
12    - cve.2023.36874
13    - detection.emerging_threats
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        OriginalFileName:
20            - 'Cmd.Exe'
21            - 'powershell_ise.EXE'
22            - 'powershell.exe'
23        Image|endswith: '\wermgr.exe'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

Related rules

to-top