From e7f566875b9fe5cbb06940b8a9c981ee70e0b41c Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Wed, 27 Sep 2023 09:16:01 -0700
Subject: [PATCH 1/2] Adding delivr.to rule

---
 detection-rules/attachment_cve_2023_38831.yml | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 detection-rules/attachment_cve_2023_38831.yml

diff --git a/detection-rules/attachment_cve_2023_38831.yml b/detection-rules/attachment_cve_2023_38831.yml
new file mode 100644
index 00000000000..eb6f5303943
--- /dev/null
+++ b/detection-rules/attachment_cve_2023_38831.yml
@@ -0,0 +1,66 @@
+name: "Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)"
+description: |
+  A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
+type: "rule"
+severity: "critical"
+authors:
+  - twitter: "delivr_to"
+references:
+  - https://twitter.com/GroupIB_TI/status/1694277126944633328
+  - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+  - https://github.com/b1tg/CVE-2023-38831-winrar-exploit/
+  - https://delivr.to/payloads?id=ab969e8a-bf5c-45a6-acd0-0dd2b2a34750
+source: |
+  type.inbound
+  and any(attachments,
+      .file_extension in $file_extensions_common_archives and
+      any(file.explode(.), 
+          (
+              .depth == 0 and 
+              any(.scan.zip.all_paths, 
+                  regex.match(., 
+                  // zip contains a path with spaces and file extensions 
+                  // lure.pdf /lure.pdf .cmd
+                  // 
+                  //  /= Initial file name
+                  //  |
+                  //  |        /= Space
+                  //  |        |
+                  //  |        | /= Folder
+                  //  |        | |
+                  //  |        | | /= Repeated file name
+                  //  |        | | |
+                  //  |        | | |       /= Space
+                  //  |        | | |       |   
+                  //  |        | | |       |   /= Real script ending
+                  //  |        | | |       |   |
+                      '\w+\.\w+\s\/\w+\.\w+\s\.\w+'
+                  )
+              )
+          ) and 
+          (
+              // One file name is present in another, e.g.
+              //     delivrto.pdf 
+              //     delivrto.pdf /delivrto.pdf .cmd
+              any(.scan.zip.all_paths, 
+                  any(..scan.zip.all_paths,
+                      . != .. and 
+                      strings.starts_with(., ..)
+                  )
+              )
+          )
+      )
+  )
+  and (
+      (
+          sender.email.domain.root_domain in $free_email_providers
+          and sender.email.email not in $recipient_emails
+      )
+      or (
+          sender.email.domain.root_domain not in $free_email_providers
+          and sender.email.domain.domain not in $recipient_domains
+      )
+  )
+tags:
+  - "Suspicious Attachment"
+  - "CVE-2023-38831"
\ No newline at end of file

From 9592b97ece5f1248cda95a1984f0617389805c75 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Wed, 27 Sep 2023 16:17:47 +0000
Subject: [PATCH 2/2] Auto add rule ID

---
 detection-rules/attachment_cve_2023_38831.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/attachment_cve_2023_38831.yml b/detection-rules/attachment_cve_2023_38831.yml
index eb6f5303943..22f0b734b1b 100644
--- a/detection-rules/attachment_cve_2023_38831.yml
+++ b/detection-rules/attachment_cve_2023_38831.yml
@@ -63,4 +63,5 @@ source: |
   )
 tags:
   - "Suspicious Attachment"
-  - "CVE-2023-38831"
\ No newline at end of file
+  - "CVE-2023-38831"
+id: "926b96ae-f40b-525d-a312-bd6c9a5f19fb"