Potential CVE-2023-36884 Exploitation - File Downloads
Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation - File Downloads
2id: 6af1617f-c179-47e3-bd66-b28034a1052d
3status: test
4description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior
8date: 2023-07-12
9tags:
10 - attack.command-and-control
11 - cve.2023-36884
12 - detection.emerging-threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 c-uri|contains:
19 - '/ex001.url'
20 - '/file001.search-ms'
21 - '/file001.url'
22 - '/file001.vbs'
23 - '/file1.mht'
24 - '/o2010.asp'
25 - '/redir_obj.html'
26 - '/RFile.asp'
27 - '/zip_k.asp'
28 - '/zip_k2.asp'
29 - '/zip_k3.asp'
30 condition: selection
31falsepositives:
32 - Unknown
33level: medium
References
Related rules
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2023-36884 Exploitation Pattern
- Potential CVE-2303-36884 URL Request Pattern Traffic
- DPRK Threat Actor - C2 Communication DNS Indicators