Potential CVE-2023-36884 Exploitation Pattern
Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation Pattern
2id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
3status: test
4description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior
8date: 2023-07-12
9tags:
10 - attack.command-and-control
11 - cve.2023-36884
12 - detection.emerging-threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 c-uri|contains: '/MSHTML_C7/'
19 c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 condition: selection
21falsepositives:
22 - Unknown
23level: critical
References
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2303-36884 URL Request Pattern Traffic
- DPRK Threat Actor - C2 Communication DNS Indicators