Query Details

CVE-2023-36884 Dropped file hunting

CVE 2023 36884 Dropped File

Query

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath startswith @"C:\Users\"
| where FolderPath contains @"\AppData\Roaming\Microsoft\Office\Recent\"
| where FolderPath endswith @"\file001.url"

About this query

CVE-2023-36884 Dropped file hunting

Description

Following relevant puplic reports of analysis with regards to CVE-2023-36884 exploitation, the following query can help hunt for the second stage dropped file.

References

Microsoft 365 Defender & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.018/07/2023Initial publish

Explanation

This query is used to hunt for a specific file that is dropped as part of the exploitation of CVE-2023-36884. It filters for file creation events in the "C:\Users" folder that contain the path "\AppData\Roaming\Microsoft\Office\Recent" and end with "\file001.url". The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. The MITRE ATT&CK mapping shows that this query is related to the Defense Evasion tactic and Technique ID T1211.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceFileEvents

Keywords

DeviceFileEventsActionTypeFolderPath

Operators

|where==startswithcontainsendswith

MITRE Techniques

Actions

GitHub