CVE-2023-36884 Dropped file hunting
CVE 2023 36884 Dropped File
Query
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath startswith @"C:\Users\"
| where FolderPath contains @"\AppData\Roaming\Microsoft\Office\Recent\"
| where FolderPath endswith @"\file001.url"About this query
CVE-2023-36884 Dropped file hunting
Description
Following relevant puplic reports of analysis with regards to CVE-2023-36884 exploitation, the following query can help hunt for the second stage dropped file.
References
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
- https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Defense Evasion
- Technique ID: T1211
- Exploitation for Defense Evasion
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 18/07/2023 | Initial publish |
Explanation
This query is used to hunt for a specific file that is dropped as part of the exploitation of CVE-2023-36884. It filters for file creation events in the "C:\Users" folder that contain the path "\AppData\Roaming\Microsoft\Office\Recent" and end with "\file001.url". The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. The MITRE ATT&CK mapping shows that this query is related to the Defense Evasion tactic and Technique ID T1211.
