The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-08-29
- Author: Michael Haag, Splunk
- ID: d2f36034-37fa-4bd4-8801-26807c15540f
Kill Chain Phase
- Command and Control
- CIS 10
|CVE-2023-38831||RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.||None|
1 2 3 4 5 6 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN ("certutil.exe","mshta.exe","bitsadmin.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`
The SPL above uses the following Macros:
winrar_spawning_shell_application_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the
Processes node of the
Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.
Associated Analytic Story
|70.0||100||70||An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1