Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation Dropped File
2id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
3status: experimental
4description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7 - https://twitter.com/wdormann/status/1679184475677130755
8 - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
9author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
10date: 2023/07/13
11tags:
12 - attack.persistence
13 - attack.defense_evasion
14 - cve.2023.36884
15 - detection.emerging_threats
16logsource:
17 category: file_event
18 product: windows
19detection:
20 selection:
21 TargetFilename|startswith: 'C:\Users\'
22 TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
23 TargetFilename|endswith: '\file001.url'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More -
-
Related rules
- Suspicious Computer Account Name Change CVE-2021-42287
- COLDSTEEL Persistence Service Creation
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security
- DarkGate - User Created Via Net.EXE