CVE-2023-38831 PoC — WinRAR 安全漏洞

Source

https://github.com/PascalAsch/CVE-2023-38831-KQL

Associated Vulnerability

Title:WinRAR 安全漏洞 (CVE-2023-38831)
Description:RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Description

KQL Hunting for WinRAR CVE-2023-38831

Readme

# CVE-2023-38831 - WinRAR File Extension Spoofing Vulnerability

## Description
Cybercriminals have exploited a vulnerability allowing them to spoof file extensions. This means they can hide the launch of malicious scripts within archives pretending to be common file types such as `.jpg`, `.txt`, etc. This vulnerability was reported to both RARLAB and MITRE Corporation, with the latter assigning it the identifier CVE-2023-38831. Notably, the cybercriminals have used ZIP archives to deliver various malware families such as DarkMe, GuLoader, and Remcos RAT. 

**Impact**:
- Distributed through specialist forums for traders, 130 traders' devices are currently known to be infected.
- While the total number of infected devices remains uncertain, the cybercriminals have been withdrawing money from broker accounts.
- The cybercriminals are leveraging this vulnerability to distribute tools previously used in the DarkCasino campaign as described by NSFOCUS.

## KQL Query for Microsoft Defender for Endpoint (MDE)

This KQL query is designed specifically for use with Microsoft Defender for Endpoint (MDE). The main table utilized in the query is `DeviceFileEvents`.

## Interpretation of KQL Search Results

- **Timestamp**: When the event occurred.
- **DeviceName**: Name of the device where the event was logged.
- **Filename with extension**: Actual name of the file.
- **Shown File Name**: The file name as presented to the user (potential spoofed name).
- **FolderPath**: Path of the file.
- **SHA256**: Hash of the file.
- **Known Hash?**: Indicates whether the file's hash matches any known malicious hash.
- **User Account**: Account initiating the process.

## Sources and Acknowledgments
- The Indicators of Compromise (IOCs) used in this query are sourced from Group-IB's analysis of CVE-2023-38831.(https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/)
- The Proof of Concept (PoC) for this vulnerability was generated using the exploit generator by b1tg, available at b1tg's GitHub repository.(https://github.com/b1tg/CVE-2023-38831-winrar-exploit)

## Notes

- This KQL query is basic in nature and does not guarantee comprehensive detection of malicious activity. It is important to continually refine and expand the search criteria based on evolving threats.
- The hash values used in the query are sourced from a specific site (https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/) and often relate to complete archives. As such, the "Known Hash?" column should be treated with caution.
- It's crucial to understand that the results from this query do not guarantee a compromise. There might be legitimate business use cases that can produce similar results. Always investigate and interpret the findings in the context of your environment.

## Disclaimer

**All information provided is "as is" without any guarantees. Use of this information and the provided query is at your own risk and responsibility.**

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!