Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Child Process Of WinRAR.EXE
2id: 146aace8-9bd6-42ba-be7a-0070d8027b76
3related:
4 - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
5 type: similar
6status: test
7description: Detects potentially suspicious child processes of WinRAR.exe.
8references:
9 - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
10 - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-08-31
13tags:
14 - attack.execution
15 - attack.t1203
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|endswith: '\WinRAR.exe'
22 selection_binaries:
23 # Note: add additional binaries that the attacker might use
24 - Image|endswith:
25 - '\cmd.exe'
26 - '\cscript.exe'
27 - '\mshta.exe'
28 - '\powershell.exe'
29 - '\pwsh.exe'
30 - '\regsvr32.exe'
31 - '\rundll32.exe'
32 - '\wscript.exe'
33 - OriginalFileName:
34 - 'Cmd.Exe'
35 - 'cscript.exe'
36 - 'mshta.exe'
37 - 'PowerShell.EXE'
38 - 'pwsh.dll'
39 - 'regsvr32.exe'
40 - 'RUNDLL32.EXE'
41 - 'wscript.exe'
42 condition: all of selection_*
43falsepositives:
44 - Unknown
45level: medium
References
Related rules
- Audit CVE Event
- CVE-2021-26858 Exchange Exploitation
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- Droppers Exploiting CVE-2017-11882