CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
Sigma rule (View on GitHub)
1title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
2id: e4556676-fc5c-4e95-8c39-5ef27791541f
3related:
4 - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
5 type: similar
6status: test
7description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
8references:
9 - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
10 - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-08-30
13tags:
14 - attack.execution
15 - cve.2023-38331
16 - detection.emerging-threats
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\WinRAR.exe'
23 TargetFilename|contains: '\AppData\Local\Temp\Rar$'
24 TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation