Potential CVE-2023-36884 Exploitation - URL Marker

Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36884 Exploitation - URL Marker
 2id: e59f71ff-c042-4f7a-8a82-8f53beea817e
 3status: test
 4description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: X__Junior
 8date: 2023-07-12
 9tags:
10    - attack.command-and-control
11    - cve.2023-36884
12    - detection.emerging-threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        c-uri|contains: '/MSHTML_C7/'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

Related rules

to-top