Date: 01/16/2025
Severity: Medium
Summary
"Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation" refers to the detection of a suspicious file named "wermgr.exe" being created in an uncommon directory, which may indicate an attempted exploitation of CVE-2023-36874. This vulnerability can be exploited by attackers to execute malicious code, and the creation of the fake wermgr.exe file is a potential sign of such exploitation, often used to disguise malicious activity or evade detection.
Indicators of Compromise (IOC) List
TargetFilename | '\wermgr.exe' ':\$WINDOWS.~BT\NewOS\' ':\$WinREAgent\' ':\Windows\servicing\LCU\' ':\Windows\System32\' ':\Windows\SysWOW64\' ':\Windows\WinSxS\' ':\WUDownloadCache\' ':\Windows\SoftwareDistribution\Download\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourcename in ("Windows Security" ) AND eventtype = "4663") AND objectname like "\wermgr.exe" AND objectname not IN (":\$WINDOWS.~BT\NewOS",":\$WinREAgent",":\Windows\servicing\LCU",":\Windows\System32",":\Windows\SysWOW64",":\Windows\WinSxS",":\WUDownloadCache",":\Windows\SoftwareDistribution\Download")) |
Detection Query 2 | ((technologygroup = "EDR") AND objectname like "\wermgr.exe" AND objectname not IN (":\$WINDOWS.~BT\NewOS",":\$WinREAgent",":\Windows\servicing\LCU",":\Windows\System32",":\Windows\SysWOW64",":\Windows\WinSxS",":\WUDownloadCache",":\Windows\SoftwareDistribution\Download")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml