Potential CVE-2023-36884 Exploitation Pattern

 1title: Potential CVE-2023-36884 Exploitation Pattern
 2id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
 3status: experimental
 4description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: X__Junior
 8date: 2023/07/12
 9tags:
10    - attack.command_and_control
11    - cve.2023.36884
12    - detection.emerging_threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        c-uri|contains: '/MSHTML_C7/'
19        c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20    condition: selection
21falsepositives:
22    - Unknown
23level: critical

References

• RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit

  

  The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.

  
  Read More

Related rules

• Potential CVE-2023-36884 Exploitation - File Downloads
• Potential CVE-2023-36884 Exploitation - Share Access
• Potential CVE-2023-36884 Exploitation - URL Marker
• Potential CVE-2303-36884 URL Request Pattern Traffic
• DarkGate - Autoit3.EXE File Creation By Uncommon Process