CVE-2023-23397 Exploitation Attempt
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
Sigma rule (View on GitHub)
1title: CVE-2023-23397 Exploitation Attempt
2id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
3status: test
4description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
5author: Robert Lee @quantum_cookie
6date: 2023/03/16
7modified: 2023/03/22
8references:
9 - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
10tags:
11 - attack.credential_access
12 - attack.initial_access
13 - cve.2023.23397
14 - detection.emerging_threats
15logsource:
16 service: security
17 product: windows
18 definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule'
19detection:
20 selection:
21 EventID:
22 - 4656
23 - 4663
24 ProcessName|endswith: '\OUTLOOK.EXE'
25 # Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider
26 ObjectName|contains|all:
27 - '\REGISTRY\MACHINE\SYSTEM'
28 - 'Services\'
29 ObjectName|endswith:
30 - 'WebClient\NetworkProvider'
31 - 'LanmanWorkstation\NetworkProvider'
32 AccessList|contains: '%%4416' # "Query key value"
33 condition: selection
34falsepositives:
35 - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM
36level: critical
References
-
Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the atte...
Read More
Related rules
- Potential CVE-2021-27905 Exploitation Attempt
- Potential MFA Bypass Using Legacy Client Authentication
- Potential CVE-2022-21587 Exploitation Attempt
- Potential CVE-2023-23752 Exploitation Attempt
- Cisco BGP Authentication Failures