heroui logo

Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)

Sublime Rules

View Source
Summary
This detection rule identifies the use of Zip file attachments that potentially exploit CVE-2023-38831, a severity critical vulnerability in WinRAR versions prior to 6.23. The exploit can allow an attacker to execute malicious commands through specially crafted paths within the zip files, taking advantage of how WinRAR handles file paths during extraction. The rule looks for Zip attachments sent in emails that match specific criteria designed to trigger exploitation, such as containing unexpected file extensions and suspicious patterns in file paths. Particularly, it checks for zip files that include paths with spaces alongside script extensions (like .cmd) or paths that appear deceptive to the user. Additionally, it implements logic to differentiate between legitimate and potentially harmful senders by analyzing the sender's domain against a list of known free email providers versus the expected recipient email domains. It aims to mitigate risks by flagging unsolicited zip files that could lead to exploitation of the noted vulnerability, ensuring proactive security measures are taken against such malicious attempts.
Categories
  • Endpoint
  • Network
  • Cloud
  • Application
Data Sources
  • File
  • Network Traffic
  • Application Log
Created: 2023-09-28