willemdh
commented
1 year ago See also https://socprime.com/rs/search-result?search=cve-2023-23397
Tried suggsted KQL query:
((process.parent.executable.text:*\\svchost.exe AND process.executable.text:*\\rundll32.exe AND process.command_line.text:*C\:\\windows\\system32\\davclnt.dll,DavSetCookie* AND process.command_line.text:/://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) AND (NOT ((process.command_line.text:(*\:\/\/10.* OR *\:\/\/192.168.* OR *\:\/\/172.16.* OR *\:\/\/172.17.* OR *\:\/\/172.18.* OR *\:\/\/172.19.* OR *\:\/\/172.20.* OR *\:\/\/172.21.* OR *\:\/\/172.22.* OR *\:\/\/172.23.* OR *\:\/\/172.24.* OR *\:\/\/172.25.* OR *\:\/\/172.26.* OR *\:\/\/172.27.* OR *\:\/\/172.28.* OR *\:\/\/172.29.* OR *\:\/\/172.30.* OR *\:\/\/172.31.* OR *\:\/\/127.* OR *\:\/\/169.254.*)))))
Which fails with errors..
[layeredXyVis] > [esaggs] > Expected ")", AND, OR, whitespace but ":" found.
Description
Suspicious WebDav Client Execution
A critical vulnerability in the ubiquitous Microsoft Outlook/365 applications suite is being actively abused in the wild and demands urgent patching. CVE-2023-23397, a CVSS 9.8 bug, lets a remote and unauthenticated attacker breach systems merely by sending a specially crafted email that allows them steal the recipient’s credentials.It gets worse: The victim doesn’t even need to open the malicious email: As Microsoft notes in its own guidance for the Microsoft 365 vulnerability: “[The email] triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
A sigma rule was created yesterday:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
Required Info
Target indexes
logs-windows., winlogbeat-
Additional requirements
sysmon process creations
Target Operating Systems
windows
Platforms
Outlook
I haven't got the time yet to think about how this rule should look. Hopefully someone can help construct this in Elastic SIEM.