WinRAR Spawning Shell Application

Try in Splunk Security Cloud

Description

The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-08-29
• Author: Michael Haag, Splunk
• ID: d2f36034-37fa-4bd4-8801-26807c15540f

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1105	Ingress Tool Transfer	Command And Control

Kill Chain Phase

• Command and Control

NIST

• DE.CM

CIS20

• CIS 10

CVE

ID	Summary	CVSS
CVE-2023-38831	RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.	None

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `winrar_spawning_shell_application_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly
• windows_shells

winrar_spawning_shell_application_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Processes.dest
• Processes.user
• Processes.parent_process
• Processes.process_name
• Processes.process
• Processes.process_id
• Processes.parent_process_id

How To Implement

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.

Associated Analytic Story

• WinRAR Spoofing Attack CVE-2023-38831

RBA

Risk Score	Impact	Confidence	Message
70.0	100	70	An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
• https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc
• https://github.com/b1tg/CVE-2023-38831-winrar-exploit

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1