Potential CVE-2303-36884 URL Request Pattern Traffic
Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2303-36884 URL Request Pattern Traffic
2id: d9365e39-febd-4a4b-8441-3ca91bb9d333
3status: experimental
4description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior
8date: 2023/07/12
9tags:
10 - attack.command_and_control
11 - cve.2023.36884
12 - detection.emerging_threats
13logsource:
14 category: proxy
15detection:
16 # Examples:
17 # hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
18 # 104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
19 selection:
20 cs-method: 'GET'
21 c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2023-36884 Exploitation Pattern
- DarkGate - Autoit3.EXE File Creation By Uncommon Process