Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rule: rules/windows/file/file_event/file_event_win_cve_2023_27363… #4239

Merged
merged 5 commits into from
Oct 11, 2023
Merged

Add rule: rules/windows/file/file_event/file_event_win_cve_2023_27363… #4239

merged 5 commits into from
Oct 11, 2023

Conversation

greg-workspace
Copy link
Contributor

@greg-workspace greg-workspace commented May 16, 2023
edited by nasbench
Loading

…_foxit_pdf.yml

Summary of the Pull Request

This PR adds a new rule for CVE-2023-27363 exploitation

Changelog

new: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader

Example Log Event

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
<System> 
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
<EventID>11</EventID> 
<Version>2</Version> 
<Level>4</Level> 
<Task>11</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8000000000000000</Keywords> 
<TimeCreated SystemTime="2023-05-16T03:05:31.5364462Z" /> 
<EventRecordID>146</EventRecordID> 
<Correlation /> 
<Execution ProcessID="5484" ThreadID="4300" /> 
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
<Computer>DESKTOP-2K5M2N9</Computer> 
<Security UserID="S-1-5-18" /> 
</System> 
<EventData> 
<Data Name="RuleName">T1023</Data> 
<Data Name="UtcTime">2023-05-16 03:05:31.525</Data> 
<Data Name="ProcessGuid">{d7c7130f-f2f9-6462-9102-000000004000}</Data> 
<Data Name="ProcessId">6304</Data> 
<Data Name="Image">C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe</Data> 
<Data Name="TargetFilename">C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.hta</Data> 
<Data Name="CreationUtcTime">2023-05-16 03:05:31.525</Data> 
</EventData> 
</Event>

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@nasbench nasbench self-requested a review May 16, 2023 12:53
@nasbench nasbench self-assigned this May 16, 2023
@nasbench nasbench added Rules Windows Pull request add/update windows related rules Emerging-Threats labels May 16, 2023
@frack113
Copy link
Member

file_event_win_startup_folder_file_write is a general detection for files being created in the Windows startup directory.

Can write the rule more generic, I think of 2 possible way:

  • list of dangerous extensions which should not be the normal
  • when it is not a '.lnk', even if it is a dangerous extensions too

@greg-workspace
Copy link
Contributor Author

greg-workspace commented May 22, 2023
edited
Loading

file_event_win_startup_folder_file_write is a general detection for files being created in the Windows startup directory.

Can write the rule more generic, I think of 2 possible way:

  • list of dangerous extensions which should not be the normal
  • when it is not a '.lnk', even if it is a dangerous extensions too

The rule: file_event_win_cve_2023_27363.yml is in order to hunt malicious PDFs in VirusTotal, and due to the limitation of CVE-2023-27363, only .hta extension is allowed to trigger RCE. However, generic rule can not hunt the specific kind of attack.

@nasbench nasbench added the Work In Progress Some changes are needed label Jun 14, 2023
@nasbench nasbench marked this pull request as draft September 10, 2023 22:32
@nasbench nasbench removed the Work In Progress Some changes are needed label Oct 11, 2023
@nasbench nasbench marked this pull request as ready for review October 11, 2023 10:59
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Oct 11, 2023
@nasbench
Copy link
Member

Thanks for the contribution @greg-workspace and sorry this took so long.

@nasbench nasbench removed the 2nd Review Needed PR need a second approval label Oct 11, 2023
@nasbench nasbench merged commit 871f41d into SigmaHQ:master Oct 11, 2023
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

@nasbench nasbench nasbench approved these changes

Assignees

@nasbench nasbench

Labels
Emerging-Threats Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@greg-workspace @frack113 @nasbench @phantinuss