Potential CVE-2023-36884 Exploitation Pattern

Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36884 Exploitation Pattern
 2id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
 3status: test
 4description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: X__Junior
 8date: 2023-07-12
 9tags:
10    - attack.command-and-control
11    - cve.2023-36884
12    - detection.emerging-threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        c-uri|contains: '/MSHTML_C7/'
19        c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20    condition: selection
21falsepositives:
22    - Unknown
23level: critical

References

Related rules

to-top