CVE-2023-40477 Potential Exploitation - .REV File Creation
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
Sigma rule (View on GitHub)
1title: CVE-2023-40477 Potential Exploitation - .REV File Creation
2id: c3bd6c55-d495-4c34-918e-e03e8828c074
3status: test
4description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
5references:
6 - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
7 - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
8 - https://www.rarlab.com/vuln_rev3_names.html
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-08-31
11tags:
12 - attack.execution
13 - cve.2023-40477
14 - detection.emerging-threats
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 Image|endswith:
21 - '\explorer.exe' # When extracted via context menu
22 - '\WinRAR.exe'
23 TargetFilename|endswith: '.rev'
24 condition: selection
25falsepositives:
26 - Legitimate extraction of multipart or recovery volumes ZIP files
27level: low
References
Related rules
- CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation