CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
Sigma rule (View on GitHub)
1title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
2id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
3related:
4 - id: e4556676-fc5c-4e95-8c39-5ef27791541f
5 type: similar
6status: experimental
7description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
8references:
9 - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
10 - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
11author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
12date: 2023/08/30
13tags:
14 - detection.emerging_threats
15 - attack.execution
16 - attack.t1203
17 - cve.2023.38331
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_parent:
23 ParentImage|endswith: '\WinRAR.exe'
24 selection_folder:
25 CommandLine|contains: '\AppData\Local\Temp\Rar$'
26 selection_double_ext:
27 CommandLine|re: '\.[a-zA-Z0-9]{1,4} \.'
28 selection_binaries:
29 # Note: add additional binaries that the attacker might use
30 - Image|endswith:
31 - '\cmd.exe'
32 - '\wscript.exe'
33 - OriginalFileName:
34 - 'Cmd.Exe'
35 - 'cscript.exe'
36 - 'PowerShell.EXE'
37 - 'pwsh.dll'
38 - 'wscript.exe'
39 condition: all of selection_*
40falsepositives:
41 - Unlikely
42level: high
References
Related rules
- CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- Potential CVE-2021-26857 Exploitation Attempt