CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process

    Monday, December 30, 2024 In: Threat Research Print

    Date: 12/30/2024

    Severity: Medium

    Summary

    CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process refers to a security vulnerability in WinRAR versions prior to 6.23, where attackers can exploit the software to execute arbitrary commands or binaries. In this scenario, an attacker leverages a flaw in how WinRAR handles certain file types, allowing them to create malicious archive files that, when opened by the victim, trigger the execution of harmful code. This exploitation attempt is typically detected by identifying suspicious child processes spawned by WinRAR, which may indicate the execution of malicious commands or binaries as part of the attack.

    Indicators of Compromise (IOC) List

    ParentImage

    '\WinRAR.exe'

    CommandLine

    '\AppData\Local\Temp\Rar$'
    '\.[a-zA-Z0-9]{1,4} \.'

    Image

    '\cmd.exe'

    '\cscript.exe'

    '\powershell.exe'

    '\pwsh.exe'

    '\wscript.exe'

    OriginalFileName

    'Cmd.Exe'

    'cscript.exe'

    'PowerShell.EXE'

    'pwsh.dll'

    'wscript.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename = "Windows Security" AND eventtype = "4688" AND parentprocessname = "\WinRAR.exe" and (commandline like "\AppData\Local\Temp\Rar$" OR commandline like "\.[a-zA-Z0-9]{1,4} \.") AND processname IN ("\cmd.exe","\cscript.exe","\powershell.exe","\pwsh.exe","\wscript.exe") 

    Detection Query 2

    technologygroup = "EDR" AND parentprocessname = "\WinRAR.exe" and (commandline like "\AppData\Local\Temp\Rar$" OR commandline like "\.[a-zA-Z0-9]{1,4} \.") AND processname IN ("\cmd.exe","\cscript.exe","\powershell.exe","\pwsh.exe","\wscript.exe")

    Detection Query 3

    		resourcename in ("Sysmon") AND eventtype = "1" AND parentimage in ("\WinRAR.exe") AND (commandline like "\AppData\Local\Temp\Rar$" OR commandline like "\.[a-zA-Z0-9]{1,4} \.") AND image IN ("\cmd.exe","\cscript.exe","\powershell.exe","\pwsh.exe","\wscript.exe") AND Originalfilename IN ("Cmd.Exe","cscript.exe","PowerShell.EXE","pwsh.dll","wscript.exe")

    Detection Query 4

    technologygroup = "EDR" AND parentimage in ("\WinRAR.exe") AND (commandline like "\AppData\Local\Temp\Rar$" OR commandline like "\.[a-zA-Z0-9]{1,4} \.") AND image IN ("\cmd.exe","\cscript.exe","\powershell.exe","\pwsh.exe","\wscript.exe") AND Originalfilename IN ("Cmd.Exe","cscript.exe","PowerShell.EXE","pwsh.dll","wscript.exe")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml      


    Tags

    MalwareSigmaCVE-2023WinRARExploitation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.