Potential CVE-2023-23397 Exploitation Attempt - SMB

Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-23397 Exploitation Attempt - SMB
 2id: de96b824-02b0-4241-9356-7e9b47f04bac
 3status: test
 4description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/05
 9tags:
10    - attack.exfiltration
11    - cve.2023.23397
12    - detection.emerging_threats
13logsource:
14    product: windows
15    service: smbclient-connectivity
16detection:
17    selection:
18        # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
19        EventID:
20            # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
21            - 30803 # Failed to establish a network connection.
22            - 30804 # A network connection was disconnected.
23            - 30806 # The client re-established its session to the server.
24            # - 31001 # Error (Doesn't contain the "ServerAddress" field)
25    filter_main_local_ips:
26        ServerAddress|startswith:
27            - '10.' # 10.0.0.0/8
28            - '192.168.' # 192.168.0.0/16
29            - '172.16.' # 172.16.0.0/12
30            - '172.17.'
31            - '172.18.'
32            - '172.19.'
33            - '172.20.'
34            - '172.21.'
35            - '172.22.'
36            - '172.23.'
37            - '172.24.'
38            - '172.25.'
39            - '172.26.'
40            - '172.27.'
41            - '172.28.'
42            - '172.29.'
43            - '172.30.'
44            - '172.31.'
45            - '127.' # 127.0.0.0/8
46            - '169.254.' # 169.254.0.0/16
47    condition: selection and not 1 of filter_main_*
48falsepositives:
49    - Some false positives may occur from external trusted servers. Apply additional filters accordingly
50level: medium

References

Related rules

to-top