Skip to content

Commit

Permalink
Merge PR SigmaHQ#4687 from @qasimqlf - Increase coverage of rule by a…
Browse files Browse the repository at this point in the history 
…dding additional image names

update: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Increase coverage
  • Loading branch information
@qasimqlf
qasimqlf authored Jan 23, 2024
1 parent e2f0a3f commit c1a67a3
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions ...23/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ references:
- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
date: 2023/08/30
modified: 2024/01/22
tags:
- detection.emerging_threats
- attack.execution
Expand All @@ -29,6 +30,9 @@ detection:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
Expand Down

0 comments on commit c1a67a3

Please sign in to comment.