forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
new: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location new: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation new: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution new: Suspicious Execution Location Of Wermgr.EXE - split from 396f6630-f3ac-44e3-bfc8-1b161bc00c4e update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - enhanced child process list update: Suspicious Child Process Of Wermgr.EXE - update title fix: SCR File Write Event - update modifier --------- Co-authored-by: phantinuss <[email protected]>
- Loading branch information
1 parent
3ce631a
commit 67d1036
Showing
7 changed files
with
172 additions
and
44 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
...ts/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_report_creation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location | ||
id: 92389a99-5215-43b0-a09f-e334453b2ed3 | ||
status: experimental | ||
description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. | ||
references: | ||
- https://github.com/Wh04m1001/CVE-2023-36874 | ||
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/08/23 | ||
tags: | ||
- attack.execution | ||
- cve.2023.36874 | ||
- detection.emerging_threats | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
selection: | ||
TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\' | ||
TargetFilename|endswith: '\Report.wer' | ||
filter_main_locations: | ||
TargetFilename|contains: | ||
# Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report | ||
- '\ReportArchive\AppCrash_' | ||
- '\ReportArchive\AppHang_' | ||
- '\ReportArchive\Critical_' | ||
- '\ReportArchive\Kernel_' | ||
- '\ReportArchive\NonCritical_' | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- Unknown | ||
level: medium |
31 changes: 31 additions & 0 deletions
31
...ts/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_wermgr_creation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation | ||
id: ad0960eb-0015-4d16-be13-b3d9f18f1342 | ||
status: experimental | ||
description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. | ||
references: | ||
- https://github.com/Wh04m1001/CVE-2023-36874 | ||
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/08/23 | ||
tags: | ||
- attack.execution | ||
- cve.2023.36874 | ||
- detection.emerging_threats | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
selection: | ||
TargetFilename|endswith: '\wermgr.exe' | ||
filter_main_locations: | ||
TargetFilename|contains: | ||
- ':\$WINDOWS.~BT\NewOS\' | ||
- ':\Windows\servicing\LCU\' | ||
- ':\Windows\System32\' | ||
- ':\Windows\SysWOW64\' | ||
- ':\Windows\WinSxS\' | ||
- ':\WUDownloadCache\' # Windows Update Download Cache | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
27 changes: 27 additions & 0 deletions
27
...ats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_34362_fake_wermgr.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution | ||
id: 50dbc08b-60ce-40f1-a6b6-346497e34c88 | ||
status: experimental | ||
description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 | ||
references: | ||
- https://github.com/Wh04m1001/CVE-2023-36874 | ||
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/08/23 | ||
tags: | ||
- attack.execution | ||
- cve.2023.36874 | ||
- detection.emerging_threats | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
OriginalFileName: | ||
- 'Cmd.Exe' | ||
- 'powershell_ise.EXE' | ||
- 'powershell.exe' | ||
Image|endswith: '\wermgr.exe' | ||
condition: selection | ||
falsepositives: | ||
- Unlikely | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 21 additions & 16 deletions
37
rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,38 +1,43 @@ | ||
title: Suspicious WERMGR Process Patterns | ||
title: Suspicious Child Process Of Wermgr.EXE | ||
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e | ||
related: | ||
- id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 | ||
type: similar | ||
status: experimental | ||
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc. | ||
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process | ||
references: | ||
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html | ||
- https://www.echotrail.io/insights/search/wermgr.exe | ||
- https://github.com/binderlabs/DirCreate2System | ||
author: Florian Roth (Nextron Systems) | ||
date: 2022/10/14 | ||
modified: 2023/02/06 | ||
modified: 2023/08/23 | ||
tags: | ||
- attack.execution | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection_susp_parent: | ||
selection: | ||
ParentImage|endswith: '\wermgr.exe' | ||
Image|endswith: | ||
- '\nslookup.exe' | ||
- '\cmd.exe' | ||
- '\cscript.exe' | ||
- '\ipconfig.exe' | ||
- '\mshta.exe' | ||
- '\net.exe' | ||
- '\net1.exe' | ||
- '\whoami.exe' | ||
- '\netstat.exe' | ||
- '\systeminfo.exe' | ||
- '\cmd.exe' | ||
- '\nslookup.exe' | ||
- '\powershell_ise.exe' | ||
- '\powershell.exe' | ||
selection_img: | ||
Image|endswith: '\wermgr.exe' | ||
filter_img_location: | ||
Image|startswith: | ||
- 'C:\Windows\System32\' | ||
- 'C:\Windows\SysWOW64\' | ||
- 'C:\Windows\WinSxS\' | ||
condition: 1 of selection_susp* or (selection_img and not filter_img_location) | ||
- '\pwsh.exe' | ||
- '\regsvr32.exe' | ||
- '\rundll32.exe' | ||
- '\systeminfo.exe' | ||
- '\whoami.exe' | ||
- '\wscript.exe' | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: high |
31 changes: 31 additions & 0 deletions
31
rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
title: Suspicious Execution Location Of Wermgr.EXE | ||
id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 | ||
related: | ||
- id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e | ||
type: similar | ||
status: experimental | ||
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. | ||
references: | ||
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html | ||
- https://www.echotrail.io/insights/search/wermgr.exe | ||
- https://github.com/binderlabs/DirCreate2System | ||
author: Florian Roth (Nextron Systems) | ||
date: 2022/10/14 | ||
modified: 2023/08/23 | ||
tags: | ||
- attack.execution | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
Image|endswith: '\wermgr.exe' | ||
filter_main_legit_location: | ||
Image|startswith: | ||
- 'C:\Windows\System32\' | ||
- 'C:\Windows\SysWOW64\' | ||
- 'C:\Windows\WinSxS\' | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- Unknown | ||
level: high |