CVE-2023-40477 Potential Exploitation - WinRAR Application Crash

Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477

Sigma rule (View on GitHub)

 1title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
 2id: e5a29b54-6fe7-4258-8a23-82960e31231a
 3status: test
 4description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
 5references:
 6    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
 7    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
 8    - https://www.rarlab.com/vuln_rev3_names.html
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-08-31
11tags:
12    - attack.execution
13    - cve.2023-40477
14    - detection.emerging-threats
15logsource:
16    product: windows
17    service: application
18detection:
19    selection:
20        Provider_Name: 'Application Error'
21        EventID: 1000
22        AppName: 'WinRAR.exe'
23    filter_main_fixed_version:
24        # TODO: fix this when the "lt" modifier is implemented for software versions
25        AppVersion|startswith:
26            - '6.23.'
27            - '6.24.'
28            - '6.25.'
29            - '6.26.'
30            - '7.'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Legitimate crash for reasons other than exploitation of the vulnerability
34level: medium

References

Related rules

to-top