Query Details
CVE 2023 38831 Winrar Spawning Cmd
Query
# CVE-2023-36884 WinRAR spawning CMD ### Description If you are using a RARLabs WinRAR version prior to 6.23, you are vulnerable to CVE-2023-36884 which allows RCE. A benign file like PDF or JPG could facilitate the execution of arbitrary code. ### References - https://github.com/HDCE-inc/CVE-2023-38831 - https://nvd.nist.gov/vuln/detail/CVE-2023-38831 ### Microsoft 365 Defender & Microsoft Sentinel ``` DeviceProcessEvents | where InitiatingProcessParentFileName has @"winrar.exe" | where InitiatingProcessFileName has @"cmd.exe" | project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName | sort by Timestamp desc ``` ### MITRE ATT&CK Mapping - Tactic: Execution - Technique ID: T1059.003 - [Command and Scripting Interpreter: Windows Command Shell](https://attack.mitre.org/techniques/T1059/003/) ### Source MDE, however if you have ASR enabled you will be able to detect this activity as suspicious. ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 10/09/2023 | Initial publish |
Explanation
This query is used to detect a vulnerability in WinRAR versions prior to 6.23, which can allow remote code execution (CVE-2023-36884). The query looks for instances where the WinRAR process spawns the CMD process, indicating potential exploitation. It retrieves information such as the timestamp, device name, file name, folder path, process command line, and account name. The query is useful for detecting and investigating this suspicious activity.
Details
Michalis Michalos
Released: September 10, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User
Operators
wherehashaswherehasprojectsort by