Potential CVE-2023-23397 Exploitation Attempt - SMB

 1title: Potential CVE-2023-23397 Exploitation Attempt - SMB
 2id: de96b824-02b0-4241-9356-7e9b47f04bac
 3status: test
 4description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/05
 9modified: 2024/03/13
10tags:
11    - attack.exfiltration
12    - cve.2023.23397
13    - detection.emerging_threats
14logsource:
15    product: windows
16    service: smbclient-connectivity
17detection:
18    selection:
19        # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
20        EventID:
21            # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
22            - 30803 # Failed to establish a network connection.
23            - 30804 # A network connection was disconnected.
24            - 30806 # The client re-established its session to the server.
25            # - 31001 # Error (Doesn't contain the "ServerAddress" field)
26    filter_main_local_ips:
27        ServerAddress|cidr:
28            - '10.0.0.0/8'
29            - '127.0.0.0/8'
30            - '169.254.0.0/16'
31            - '172.16.0.0/12'
32            - '192.168.0.0/16'
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Some false positives may occur from external trusted servers. Apply additional filters accordingly
36level: medium