From a9e5e035ed9b1efa1ab3bc78d282012c5ea2eada Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 28 Sep 2023 07:06:26 -0700
Subject: [PATCH] Adding delivr.to rule (#826)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
---
 detection-rules/attachment_cve_2023_38831.yml | 67 +++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 detection-rules/attachment_cve_2023_38831.yml

diff --git a/detection-rules/attachment_cve_2023_38831.yml b/detection-rules/attachment_cve_2023_38831.yml
new file mode 100644
index 00000000000..22f0b734b1b
--- /dev/null
+++ b/detection-rules/attachment_cve_2023_38831.yml
@@ -0,0 +1,67 @@
+name: "Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)"
+description: |
+  A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
+type: "rule"
+severity: "critical"
+authors:
+  - twitter: "delivr_to"
+references:
+  - https://twitter.com/GroupIB_TI/status/1694277126944633328
+  - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+  - https://github.com/b1tg/CVE-2023-38831-winrar-exploit/
+  - https://delivr.to/payloads?id=ab969e8a-bf5c-45a6-acd0-0dd2b2a34750
+source: |
+  type.inbound
+  and any(attachments,
+      .file_extension in $file_extensions_common_archives and
+      any(file.explode(.), 
+          (
+              .depth == 0 and 
+              any(.scan.zip.all_paths, 
+                  regex.match(., 
+                  // zip contains a path with spaces and file extensions 
+                  // lure.pdf /lure.pdf .cmd
+                  // 
+                  //  /= Initial file name
+                  //  |
+                  //  |        /= Space
+                  //  |        |
+                  //  |        | /= Folder
+                  //  |        | |
+                  //  |        | | /= Repeated file name
+                  //  |        | | |
+                  //  |        | | |       /= Space
+                  //  |        | | |       |   
+                  //  |        | | |       |   /= Real script ending
+                  //  |        | | |       |   |
+                      '\w+\.\w+\s\/\w+\.\w+\s\.\w+'
+                  )
+              )
+          ) and 
+          (
+              // One file name is present in another, e.g.
+              //     delivrto.pdf 
+              //     delivrto.pdf /delivrto.pdf .cmd
+              any(.scan.zip.all_paths, 
+                  any(..scan.zip.all_paths,
+                      . != .. and 
+                      strings.starts_with(., ..)
+                  )
+              )
+          )
+      )
+  )
+  and (
+      (
+          sender.email.domain.root_domain in $free_email_providers
+          and sender.email.email not in $recipient_emails
+      )
+      or (
+          sender.email.domain.root_domain not in $free_email_providers
+          and sender.email.domain.domain not in $recipient_domains
+      )
+  )
+tags:
+  - "Suspicious Attachment"
+  - "CVE-2023-38831"
+id: "926b96ae-f40b-525d-a312-bd6c9a5f19fb"