-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathattachment_cve_2023_36884.yml
42 lines (41 loc) · 1.68 KB
/
attachment_cve_2023_36884.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: "Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited)"
description: |
An Office document with an embedded RTF file. This RTF file contains OLE Objects that leverage remote resources, as exploited by CVE-2023-36884.
type: "rule"
severity: "critical"
authors:
- twitter: "delivr_to"
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
source: |
type.inbound
and any(attachments,
(
// Office document or a file archive format
.file_extension in $file_extensions_macros or
.file_extension in $file_extensions_common_archives
) and
any(file.explode(.),
// Office extension containing an RTF
.file_extension in $file_extensions_macros and
any(.scan.zip.attempted_files, strings.iends_with(., ".rtf"))
) and
any(file.explode(.),
// RTF file containing references to an OLE Object with remote resource
.file_extension == "rtf" and
any(.scan.strings.strings,
strings.icontains(., '\object') and // embedded OLE Object
strings.icontains(., '\objdata') and // embedded OLE Object
strings.icontains(., '\objautlink') // remote link embedded OLE Object
)
)
)
and (
not profile.by_sender_email().solicited
or sender.email.domain.domain == "delivrto.me"
)
tags:
- "Suspicious Attachment"
- "CVE-2023-36884"