Potential CVE-2023-23397 Exploitation Attempt - SMB

calendar Apr 10, 2025 · attack.exfiltration cve.2023-23397 detection.emerging-threats  ·
Share on: linkedin copy

Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-23397 Exploitation Attempt - SMB
 2id: de96b824-02b0-4241-9356-7e9b47f04bac
 3status: test
 4description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
 7    - https://github.com/nasbench/Misc-Research/blob/main/ETW/Microsoft-Windows-SMBClient.md
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-04-05
10modified: 2025-04-07
11tags:
12    - attack.exfiltration
13    - cve.2023-23397
14    - detection.emerging-threats
15logsource:
16    product: windows
17    service: smbclient-connectivity
18detection:
19    selection:
20        # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
21        EventID:
22            # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
23            - 30803 # Failed to establish a network connection.
24            - 30804 # A network connection was disconnected.
25            - 30806 # The client re-established its session to the server.
26            # - 31001 # Error (Doesn't contain the "ServerAddress" field)
27    filter_main_local_ips:
28        - ServerAddress|cidr:
29              # IPv4
30              - '10.0.0.0/8'
31              - '127.0.0.0/8'
32              - '169.254.0.0/16'
33              - '172.16.0.0/12'
34              - '192.168.0.0/16'
35              # IPv6
36              - '::1/128'  # IPv6 loopback
37              - 'fe80::/10'  # IPv6 link-local addresses
38              - 'fc00::/7'  # IPv6 private addresses
39        - Address|startswith:
40        # This is for EventID 30804, which doesn't have the "ServerAddress" field, but a field called "Address" and it contains a socket address (IP:Port) and not an IP
41              # IPv4
42              - '10.'
43              - '127.'
44              - '169.254.'
45              - '172.'
46              - '192.168.'
47              # IPv6
48              - '::1'
49              - 'fe80::'
50              - 'fc00::'
51        # The filters below cover the XML raw log
52        - Address|contains:
53              # IPv6
54              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
55              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
56              - 'FC00000000000000' # fc00:: - IPv6 private addresses
57              # IPv4
58              # The "?" are meant to represent the port
59              - '0200????C0A8' # 192.168.
60              - '0200????AC' # 172.
61              - '0200????0A' # 10.
62              - '0200????7F' # 127
63              - '0200????A9FE' # 169.254.
64        - ServerAddress|contains:
65              # IPv6
66              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
67              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
68              - 'FC00000000000000' # fc00:: - IPv6 private addresses
69              # IPv4
70              # The "?" are meant to represent the port
71              - '0200????C0A8' # 192.168.
72              - '0200????AC' # 172.
73              - '0200????0A' # 10.
74              - '0200????7F' # 127
75              - '0200????A9FE' # 169.254.
76    condition: selection and not 1 of filter_main_*
77falsepositives:
78    - Some false positives may occur from external trusted servers. Apply additional filters accordingly
79level: medium

References

Related rules

to-top