CVE-2023-36884 WinRAR spawning CMD
CVE 2023 38831 Winrar Spawning Cmd
Query
DeviceProcessEvents
| where InitiatingProcessParentFileName has @"winrar.exe"
| where InitiatingProcessFileName has @"cmd.exe"
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName
| sort by Timestamp descAbout this query
CVE-2023-36884 WinRAR spawning CMD
Description
If you are using a RARLabs WinRAR version prior to 6.23, you are vulnerable to CVE-2023-36884 which allows RCE. A benign file like PDF or JPG could facilitate the execution of arbitrary code.
References
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Execution
- Technique ID: T1059.003
- Command and Scripting Interpreter: Windows Command Shell
Source
MDE, however if you have ASR enabled you will be able to detect this activity as suspicious.
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 10/09/2023 | Initial publish |
Explanation
This query is used to detect a vulnerability in WinRAR versions prior to 6.23, which can allow remote code execution (CVE-2023-36884). The query looks for instances where the WinRAR process spawns the CMD process, indicating potential exploitation. It retrieves information such as the timestamp, device name, file name, folder path, process command line, and account name. The query is useful for detecting and investigating this suspicious activity.
