CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File

Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331

Sigma rule (View on GitHub)

 1title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
 2id: e4556676-fc5c-4e95-8c39-5ef27791541f
 3related:
 4    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
 5      type: similar
 6status: test
 7description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
 8references:
 9    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
10    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-08-30
13tags:
14    - attack.execution
15    - cve.2023-38331
16    - detection.emerging-threats
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\WinRAR.exe'
23        TargetFilename|contains: '\AppData\Local\Temp\Rar$'
24        TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top