Potential CVE-2023-36884 Exploitation - Share Access
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
Sigma rule (View on GitHub)
1title: Potential CVE-2023-36884 Exploitation - Share Access
2id: 3df95076-9e78-4e63-accb-16699c3b74f8
3status: experimental
4description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
5references:
6 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/07/13
9tags:
10 - attack.command_and_control
11 - cve.2023.36884
12 - detection.emerging_threats
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
17detection:
18 selection_eid:
19 EventID: 5140
20 selection_share_name:
21 ShareName|contains: '\MSHTML_C7\'
22 ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
23 selection_share_path:
24 ShareLocalPath|contains: '\MSHTML_C7\'
25 ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
26 condition: selection_eid and 1 of selection_share_*
27falsepositives:
28 - Unknown
29level: high
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2023-36884 Exploitation Pattern
- Potential CVE-2303-36884 URL Request Pattern Traffic
- DarkGate - Autoit3.EXE File Creation By Uncommon Process