Potentially Suspicious Child Process Of WinRAR.EXE

 1title: Potentially Suspicious Child Process Of WinRAR.EXE
 2id: 146aace8-9bd6-42ba-be7a-0070d8027b76
 3related:
 4    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
 5      type: similar
 6status: experimental
 7description: Detects potentially suspicious child processes of WinRAR.exe.
 8references:
 9    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
10    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/08/31
13tags:
14    - attack.execution
15    - attack.t1203
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\WinRAR.exe'
22    selection_binaries:
23        # Note: add additional binaries that the attacker might use
24        - Image|endswith:
25              - '\cmd.exe'
26              - '\cscript.exe'
27              - '\mshta.exe'
28              - '\powershell.exe'
29              - '\pwsh.exe'
30              - '\regsvr32.exe'
31              - '\rundll32.exe'
32              - '\wscript.exe'
33        - OriginalFileName:
34              - 'Cmd.Exe'
35              - 'cscript.exe'
36              - 'mshta.exe'
37              - 'PowerShell.EXE'
38              - 'pwsh.dll'
39              - 'regsvr32.exe'
40              - 'RUNDLL32.EXE'
41              - 'wscript.exe'
42    condition: all of selection_*
43falsepositives:
44    - Unknown
45level: medium