Potential CVE-2023-36884 Exploitation - Share Access
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation - Share Access
2id: 3df95076-9e78-4e63-accb-16699c3b74f8
3status: test
4description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-07-13
9tags:
10 - attack.command-and-control
11 - cve.2023-36884
12 - detection.emerging-threats
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
17detection:
18 selection_eid:
19 EventID: 5140
20 selection_share_name:
21 ShareName|contains: '\MSHTML_C7\'
22 ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
23 selection_share_path:
24 ShareLocalPath|contains: '\MSHTML_C7\'
25 ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
26 condition: selection_eid and 1 of selection_share_*
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2023-36884 Exploitation Pattern
- Potential CVE-2303-36884 URL Request Pattern Traffic
- DPRK Threat Actor - C2 Communication DNS Indicators