Potential CVE-2023-36884 Exploitation - File Downloads

Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36884 Exploitation - File Downloads
 2id: 6af1617f-c179-47e3-bd66-b28034a1052d
 3status: test
 4description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: X__Junior
 8date: 2023-07-12
 9tags:
10    - attack.command-and-control
11    - cve.2023-36884
12    - detection.emerging-threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        c-uri|contains:
19            - '/ex001.url'
20            - '/file001.search-ms'
21            - '/file001.url'
22            - '/file001.vbs'
23            - '/file1.mht'
24            - '/o2010.asp'
25            - '/redir_obj.html'
26            - '/RFile.asp'
27            - '/zip_k.asp'
28            - '/zip_k2.asp'
29            - '/zip_k3.asp'
30    condition: selection
31falsepositives:
32    - Unknown
33level: medium

References

Related rules

to-top