CVE-2023-23397 Exploitation Attempt
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
Sigma rule (View on GitHub)
1title: CVE-2023-23397 Exploitation Attempt
2id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
3status: test
4description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
5author: Robert Lee @quantum_cookie
6date: 2023-03-16
7modified: 2023-03-22
8references:
9 - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
10tags:
11 - attack.credential-access
12 - attack.initial-access
13 - cve.2023-23397
14 - detection.emerging-threats
15logsource:
16 service: security
17 product: windows
18 definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule'
19detection:
20 selection:
21 EventID:
22 - 4656
23 - 4663
24 ProcessName|endswith: '\OUTLOOK.EXE'
25 # Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider
26 ObjectName|contains|all:
27 - '\REGISTRY\MACHINE\SYSTEM'
28 - 'Services\'
29 ObjectName|endswith:
30 - 'WebClient\NetworkProvider'
31 - 'LanmanWorkstation\NetworkProvider'
32 AccessList|contains: '%%4416' # "Query key value"
33 condition: selection
34falsepositives:
35 - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM
36level: critical
References
Related rules
- ADSelfService Exploitation
- APT31 Judgement Panda Activity
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API