Query Details
CVE 2023 36884 Dropped File
Query
# CVE-2023-36884 Dropped file hunting ### Description Following relevant puplic reports of analysis with regards to CVE-2023-36884 exploitation, the following query can help hunt for the second stage dropped file. ### References - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit - https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884 ### Microsoft 365 Defender & Microsoft Sentinel ``` DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath startswith @"C:\Users\" | where FolderPath contains @"\AppData\Roaming\Microsoft\Office\Recent\" | where FolderPath endswith @"\file001.url" ``` ### MITRE ATT&CK Mapping - Tactic: Defense Evasion - Technique ID: T1211 - [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 18/07/2023 | Initial publish |
Explanation
This query is used to hunt for a specific file that is dropped as part of the exploitation of CVE-2023-36884. It filters for file creation events in the "C:\Users" folder that contain the path "\AppData\Roaming\Microsoft\Office\Recent" and end with "\file001.url". The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. The MITRE ATT&CK mapping shows that this query is related to the Defense Evasion tactic and Technique ID T1211.
Details
Michalis Michalos
Released: August 14, 2023
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,ActionType,FolderPath
Operators
|where==startswithcontainsendswith