-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathattachment_cve_2023_38831.yml
61 lines (60 loc) · 2.08 KB
/
attachment_cve_2023_38831.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: "Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)"
description: |
A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
type: "rule"
severity: "critical"
authors:
- twitter: "delivr_to"
references:
- https://twitter.com/GroupIB_TI/status/1694277126944633328
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://github.com/b1tg/CVE-2023-38831-winrar-exploit/
- https://delivr.to/payloads?id=ab969e8a-bf5c-45a6-acd0-0dd2b2a34750
source: |
type.inbound
and any(attachments,
.file_extension in $file_extensions_common_archives and
any(file.explode(.),
(
.depth == 0 and
any(.scan.zip.all_paths,
regex.match(.,
// zip contains a path with spaces and file extensions
// lure.pdf /lure.pdf .cmd
//
// /= Initial file name (including any spaces)
// |
// | /= Space
// | |
// | | /= Folder
// | | |
// | | | /= Repeated file name
// | | | |
// | | | | /= Space
// | | | | |
// | | | | | /= Real script ending
// | | | | | |
'.+\.\w+\s\/.+\.\w+\s\.\w+'
)
)
) and
(
// One file name is present in another, e.g.
// delivrto.pdf
// delivrto.pdf /delivrto.pdf .cmd
any(.scan.zip.all_paths,
any(..scan.zip.all_paths,
. != .. and
strings.starts_with(., ..)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
or sender.email.domain.domain == "delivrto.me"
)
tags:
- "Suspicious Attachment"
- "CVE-2023-38831"