Potential CVE-2023-36884 Exploitation - Share Access

Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-36884 Exploitation - Share Access
 2id: 3df95076-9e78-4e63-accb-16699c3b74f8
 3status: test
 4description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-07-13
 9tags:
10    - attack.command-and-control
11    - cve.2023-36884
12    - detection.emerging-threats
13logsource:
14    product: windows
15    service: security
16    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
17detection:
18    selection_eid:
19        EventID: 5140
20    selection_share_name:
21        ShareName|contains: '\MSHTML_C7\'
22        ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
23    selection_share_path:
24        ShareLocalPath|contains: '\MSHTML_C7\'
25        ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
26    condition: selection_eid and 1 of selection_share_*
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top