← Back to Explore
sublimecriticalRule
Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
Detection Query
type.inbound
and any(attachments,
.file_extension in $file_extensions_common_archives and
any(file.explode(.),
(
.depth == 0 and
any(.scan.zip.all_paths,
regex.match(.,
// zip contains a path with spaces and file extensions
// lure.pdf /lure.pdf .cmd
//
// /= Initial file name (including any spaces)
// |
// | /= Space
// | |
// | | /= Folder
// | | |
// | | | /= Repeated file name
// | | | |
// | | | | /= Space
// | | | | |
// | | | | | /= Real script ending
// | | | | | |
'.+\.\w+\s\/.+\.\w+\s\.\w+'
)
)
) and
(
// One file name is present in another, e.g.
// delivrto.pdf
// delivrto.pdf /delivrto.pdf .cmd
any(.scan.zip.all_paths,
any(..scan.zip.all_paths,
. != .. and
strings.starts_with(., ..)
)
)
)
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
Author
delivr_to
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Suspicious attachmentCVE-2023-38831
Raw Content
name: "Attachment: Zip exploiting CVE-2023-38831 (unsolicited)"
description: |
A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
type: "rule"
severity: "critical"
authors:
- twitter: "delivr_to"
references:
- https://twitter.com/GroupIB_TI/status/1694277126944633328
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://github.com/b1tg/CVE-2023-38831-winrar-exploit/
- https://delivr.to/payloads?id=ab969e8a-bf5c-45a6-acd0-0dd2b2a34750
source: |
type.inbound
and any(attachments,
.file_extension in $file_extensions_common_archives and
any(file.explode(.),
(
.depth == 0 and
any(.scan.zip.all_paths,
regex.match(.,
// zip contains a path with spaces and file extensions
// lure.pdf /lure.pdf .cmd
//
// /= Initial file name (including any spaces)
// |
// | /= Space
// | |
// | | /= Folder
// | | |
// | | | /= Repeated file name
// | | | |
// | | | | /= Space
// | | | | |
// | | | | | /= Real script ending
// | | | | | |
'.+\.\w+\s\/.+\.\w+\s\.\w+'
)
)
) and
(
// One file name is present in another, e.g.
// delivrto.pdf
// delivrto.pdf /delivrto.pdf .cmd
any(.scan.zip.all_paths,
any(..scan.zip.all_paths,
. != .. and
strings.starts_with(., ..)
)
)
)
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
tags:
- "Suspicious attachment"
- "CVE-2023-38831"
id: "926b96ae-f40b-525d-a312-bd6c9a5f19fb"