Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
Sigma rule (View on GitHub)
1title: Potential CVE-2023-23397 Exploitation Attempt - SMB
2id: de96b824-02b0-4241-9356-7e9b47f04bac
3status: test
4description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/04/05
9modified: 2024/03/13
10tags:
11 - attack.exfiltration
12 - cve.2023.23397
13 - detection.emerging_threats
14logsource:
15 product: windows
16 service: smbclient-connectivity
17detection:
18 selection:
19 # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
20 EventID:
21 # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
22 - 30803 # Failed to establish a network connection.
23 - 30804 # A network connection was disconnected.
24 - 30806 # The client re-established its session to the server.
25 # - 31001 # Error (Doesn't contain the "ServerAddress" field)
26 filter_main_local_ips:
27 ServerAddress|cidr:
28 - '10.0.0.0/8'
29 - '127.0.0.0/8'
30 - '169.254.0.0/16'
31 - '172.16.0.0/12'
32 - '192.168.0.0/16'
33 condition: selection and not 1 of filter_main_*
34falsepositives:
35 - Some false positives may occur from external trusted servers. Apply additional filters accordingly
36level: medium
References
Related rules
- CVE-2023-23397 Exploitation Attempt
- Suspicious WebDav Client Execution Via Rundll32.EXE
- Outlook Task/Note Reminder Received
- WebDav Put Request
- Qakbot Regsvr32 Calc Pattern