CVE-2023-23397 Exploitation Attempt

Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.

Sigma rule (View on GitHub)

 1title: CVE-2023-23397 Exploitation Attempt
 2id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
 3status: test
 4description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
 5author: Robert Lee @quantum_cookie
 6date: 2023-03-16
 7modified: 2023-03-22
 8references:
 9    - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
10tags:
11    - attack.credential-access
12    - attack.initial-access
13    - cve.2023-23397
14    - detection.emerging-threats
15logsource:
16    service: security
17    product: windows
18    definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule'
19detection:
20    selection:
21        EventID:
22            - 4656
23            - 4663
24        ProcessName|endswith: '\OUTLOOK.EXE'
25        # Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider
26        ObjectName|contains|all:
27            - '\REGISTRY\MACHINE\SYSTEM'
28            - 'Services\'
29        ObjectName|endswith:
30            - 'WebClient\NetworkProvider'
31            - 'LanmanWorkstation\NetworkProvider'
32        AccessList|contains: '%%4416' # "Query key value"
33    condition: selection
34falsepositives:
35    - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM
36level: critical

References

Related rules

to-top