Potential CVE-2303-36884 URL Request Pattern Traffic
Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2303-36884 URL Request Pattern Traffic
2id: d9365e39-febd-4a4b-8441-3ca91bb9d333
3status: test
4description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior
8date: 2023-07-12
9tags:
10 - attack.command-and-control
11 - cve.2023-36884
12 - detection.emerging-threats
13logsource:
14 category: proxy
15detection:
16 # Examples:
17 # hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
18 # 104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
19 selection:
20 cs-method: 'GET'
21 c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2023-36884 Exploitation Pattern
- DPRK Threat Actor - C2 Communication DNS Indicators