Sigma Rule Packages for 23-10-2023 are released and available for download. This release saw the addition of 21 new rules, 17 rule updates and 24 rule fixes.
New Rules
Some highlights for the newer rules include, detections for CVE-2023–27363 (Remote Code Execution in Foxit Reader) based on .hta file creation in the Startup directory.
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: experimental
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023/10/11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023.27363
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\FoxitPDFReader.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith: '.hta'
condition: selection
falsepositives:
- Unknown
level: high
A generic rule that detects usage of curl to download files from IP based URLs as seen being abused in the wild