Potential CVE-2023-36884 Exploitation - URL Marker
Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation - URL Marker
2id: e59f71ff-c042-4f7a-8a82-8f53beea817e
3status: experimental
4description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior
8date: 2023/07/12
9tags:
10 - attack.command_and_control
11 - cve.2023.36884
12 - detection.emerging_threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 c-uri|contains: '/MSHTML_C7/'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential CVE-2023-36884 Exploitation Pattern
- Potential CVE-2303-36884 URL Request Pattern Traffic
- DarkGate - Autoit3.EXE File Creation By Uncommon Process