Potential CVE-2023-36884 Exploitation - URL Marker
Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation - URL Marker
2id: e59f71ff-c042-4f7a-8a82-8f53beea817e
3status: test
4description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: X__Junior
8date: 2023-07-12
9tags:
10 - attack.command-and-control
11 - cve.2023-36884
12 - detection.emerging-threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 c-uri|contains: '/MSHTML_C7/'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential CVE-2023-36884 Exploitation Pattern
- Potential CVE-2303-36884 URL Request Pattern Traffic
- DPRK Threat Actor - C2 Communication DNS Indicators