Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability

 1name: "Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability"
 2description: |
 3    Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
 4references:
 5  - "https://delivr.to/payloads?id=0a465e03-82a7-42c1-9ded-b0b6b046c86d"
 6  - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716"
 7  - "https://twitter.com/jduck/status/1632471544935923712"
 8  - "https://github.com/gyaansastra/CVE-2023-21716"
 9type: "rule"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension in~ ("rtf", "doc", "docx")
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_extension in~ $file_extensions_macros
18            or (
19              .file_extension is null
20              and .file_type == "unknown"
21              and .content_type == "application/octet-stream"
22              and .size < 100000000
23            )
24          )
25          and any(file.explode(.),
26                  any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
27                  and length(filter(.scan.strings.strings,
28                                    strings.ilike(., '{\f*;}')
29                             )
30                  ) > 10000
31          )
32  )  
33attack_types:
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Exploit"
37detection_methods:
38  - "Content analysis"
39  - "File analysis"
40id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d"