Merge pull request SigmaHQ#4390 from @nasbench - CVE-2023-36874

new: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location new: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation new: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution new: Suspicious Execution Location Of Wermgr.EXE - split from 396f6630-f3ac-44e3-bfc8-1b161bc00c4e update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - enhanced child process list update: Suspicious Child Process Of Wermgr.EXE - update title fix: SCR File Write Event - update modifier --------- Co-authored-by: phantinuss <[email protected]>
phantinuss · Aug 24, 2023 · 67d1036 · 67d1036
1 parent 3ce631a
commit 67d1036
Show file tree

Hide file tree

Showing 7 changed files with 172 additions and 44 deletions.
diff --git a/...ts/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_report_creation.yml b/...ts/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_report_creation.yml
@@ -0,0 +1,32 @@
+title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
+id: 92389a99-5215-43b0-a09f-e334453b2ed3
+status: experimental
+description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
+references:
+    - https://github.com/Wh04m1001/CVE-2023-36874
+    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/23
+tags:
+    - attack.execution
+    - cve.2023.36874
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
+        TargetFilename|endswith: '\Report.wer'
+    filter_main_locations:
+        TargetFilename|contains:
+            # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
+            - '\ReportArchive\AppCrash_'
+            - '\ReportArchive\AppHang_'
+            - '\ReportArchive\Critical_'
+            - '\ReportArchive\Kernel_'
+            - '\ReportArchive\NonCritical_'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/...ts/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_wermgr_creation.yml b/...ts/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_wermgr_creation.yml
@@ -0,0 +1,31 @@
+title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
+id: ad0960eb-0015-4d16-be13-b3d9f18f1342
+status: experimental
+description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
+references:
+    - https://github.com/Wh04m1001/CVE-2023-36874
+    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/23
+tags:
+    - attack.execution
+    - cve.2023.36874
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: '\wermgr.exe'
+    filter_main_locations:
+        TargetFilename|contains:
+            - ':\$WINDOWS.~BT\NewOS\'
+            - ':\Windows\servicing\LCU\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
+            - ':\WUDownloadCache\' # Windows Update Download Cache
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/...ats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_34362_fake_wermgr.yml b/...ats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_34362_fake_wermgr.yml
@@ -0,0 +1,27 @@
+title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
+id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
+status: experimental
+description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
+references:
+    - https://github.com/Wh04m1001/CVE-2023-36874
+    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/23
+tags:
+    - attack.execution
+    - cve.2023.36874
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        OriginalFileName:
+            - 'Cmd.Exe'
+            - 'powershell_ise.EXE'
+            - 'powershell.exe'
+        Image|endswith: '\wermgr.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Libraries/Desk/
 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 date: 2022/04/27
-modified: 2023/02/23
+modified: 2023/08/23
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -17,11 +17,11 @@ detection:
     selection:
         TargetFilename|endswith: '.scr'
     filter:
-        TargetFilename|startswith:
-            - 'C:\$WINDOWS.~BT\NewOS\'
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
+        TargetFilename|contains:
+            - ':\$WINDOWS.~BT\NewOS\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
             - ':\WUDownloadCache\' # Windows Update Download Cache
     condition: selection and not filter
 falsepositives:

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
@@ -21,7 +21,7 @@ references:
     - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
 author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
 date: 2019/06/15
-modified: 2023/03/01
+modified: 2023/08/23
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -37,40 +37,42 @@ detection:
             - 'Windows PowerShell'
             - 'pwsh'
         - OriginalFileName:
-            - 'powershell.exe'
-            - 'pwsh.dll'
+            - 'certutil.exe'
+            - 'cmstp.exe'
+            - 'cscript.exe'
+            - 'mshta.exe'
+            - 'msiexec.exe'
             - 'powershell_ise.exe'
-            - 'psexec.exe'
+            - 'powershell.exe'
             - 'psexec.c'        # old versions of psexec (2016 seen)
+            - 'psexec.exe'
             - 'psexesvc.exe'
-            - 'cscript.exe'
-            - 'wscript.exe'
-            - 'mshta.exe'
+            - 'pwsh.dll'
+            - 'reg.exe'
             - 'regsvr32.exe'
-            - 'wmic.exe'
-            - 'certutil.exe'
             - 'rundll32.exe'
-            - 'cmstp.exe'
-            - 'msiexec.exe'
-            - 'reg.exe'
+            - 'WerMgr'
+            - 'wmic.exe'
+            - 'wscript.exe'
     filter:
         Image|endswith:
-            - '\powershell.exe'
-            - '\pwsh.exe'
+            - '\certutil.exe'
+            - '\cmstp.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\msiexec.exe'
             - '\powershell_ise.exe'
+            - '\powershell.exe'
             - '\psexec.exe'
             - '\psexec64.exe'
             - '\PSEXESVC.exe'
-            - '\cscript.exe'
-            - '\wscript.exe'
-            - '\mshta.exe'
+            - '\pwsh.exe'
+            - '\reg.exe'
             - '\regsvr32.exe'
-            - '\wmic.exe'
-            - '\certutil.exe'
             - '\rundll32.exe'
-            - '\cmstp.exe'
-            - '\msiexec.exe'
-            - '\reg.exe'
+            - '\wermgr.exe'
+            - '\wmic.exe'
+            - '\wscript.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist

diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml
@@ -1,38 +1,43 @@
-title: Suspicious WERMGR Process Patterns
+title: Suspicious Child Process Of Wermgr.EXE
 id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
+related:
+    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
+      type: similar
 status: experimental
-description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.
+description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
 references:
     - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
     - https://www.echotrail.io/insights/search/wermgr.exe
     - https://github.com/binderlabs/DirCreate2System
 author: Florian Roth (Nextron Systems)
 date: 2022/10/14
-modified: 2023/02/06
+modified: 2023/08/23
+tags:
+    - attack.execution
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_susp_parent:
+    selection:
         ParentImage|endswith: '\wermgr.exe'
         Image|endswith:
-            - '\nslookup.exe'
+            - '\cmd.exe'
+            - '\cscript.exe'
             - '\ipconfig.exe'
+            - '\mshta.exe'
             - '\net.exe'
             - '\net1.exe'
-            - '\whoami.exe'
             - '\netstat.exe'
-            - '\systeminfo.exe'
-            - '\cmd.exe'
+            - '\nslookup.exe'
+            - '\powershell_ise.exe'
             - '\powershell.exe'
-    selection_img:
-        Image|endswith: '\wermgr.exe'
-    filter_img_location:
-        Image|startswith:
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
-    condition: 1 of selection_susp* or (selection_img and not filter_img_location)
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\systeminfo.exe'
+            - '\whoami.exe'
+            - '\wscript.exe'
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml
@@ -0,0 +1,31 @@
+title: Suspicious Execution Location Of Wermgr.EXE
+id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
+related:
+    - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
+      type: similar
+status: experimental
+description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
+references:
+    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
+    - https://www.echotrail.io/insights/search/wermgr.exe
+    - https://github.com/binderlabs/DirCreate2System
+author: Florian Roth (Nextron Systems)
+date: 2022/10/14
+modified: 2023/08/23
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\wermgr.exe'
+    filter_main_legit_location:
+        Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high