topic Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook in Cortex XDR Discussions

Detection Logic For CVE-2023-23397 - Microsoft Outlook

Gokul_K — Sun, 26 Mar 2023 17:15:52 GMT

Hi Team,

Anyone having detection logic XQL query for CVE-2023-23397 - Microsoft Outlook EOP ? #DetectionLogic #XQL #ThreatHunting #CVE-2023-23397

Thanks,

Gokul K

Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook

fmoixsante — Mon, 27 Mar 2023 13:28:15 GMT

Hi @Gokul_K

Palo Alto Networks is aware of CVE-2023-23397, and our Engineering team is actively researching possible signature coverage based on all the reports we received and our own testing.

Thanks for your question.

Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook

KanwarSingh01 — Thu, 30 Mar 2023 03:30:37 GMT

The best option will be to patch the system.

I think the below two queries can help you hunt CVE-2023-23397

Query 1: Outbound Connection to Public IP on Port 445 or 139 via Outlook.exe (Some systems are showing network connection from PID 4 which is System which makes it hard to hunt.)

config case_sensitive = false | preset = network_story | filter actor_process_image_name = "outlook.exe" and action_remote_port in (445,139) | filter action_remote_ip != null | filter incidr(action_remote_ip,"127.0.0.0/8") = false | filter incidr(action_remote_ip,"10.0.0.0/8") = false | filter incidr(action_remote_ip,"192.168.0.0/16") = false | filter incidr(action_remote_ip,"172.16.0.0/12") = false | filter incidr(action_remote_ip,"169.254.0.0/16") = false | filter incidr(action_remote_ip,"224.0.0.0/4") = false | filter incidr(action_remote_ip,"255.255.255.255/32") = false | iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time

Query 2: Outbound Connection via WebDav which will fallback if the above connection is not successful. (i.e. Outlook Not Connecting to SMB)

config case_sensitive = false | preset = network_story | filter actor_process_image_name = "rundll32.exe" and actor_process_command_line contains "DavSetCookie" | filter action_remote_ip != null | filter incidr(action_remote_ip,"127.0.0.0/8") = false | filter incidr(action_remote_ip,"10.0.0.0/8") = false | filter incidr(action_remote_ip,"192.168.0.0/16") = false | filter incidr(action_remote_ip,"172.16.0.0/12") = false | filter incidr(action_remote_ip,"169.254.0.0/16") = false | filter incidr(action_remote_ip,"224.0.0.0/4") = false | filter incidr(action_remote_ip,"255.255.255.255/32") = false | iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time

Regards

Kanwar

Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook

micomi — Thu, 30 Mar 2023 06:25:26 GMT

Thank you for sharing @KanwarSingh01

I tried to create a similar query before where I didn't filter for outlook.exe but for all traffic going to these two ports. To achieve this I just filtered the local ip (to only see connections from internal devices):

| filter incidr(action_local_ip,"10.0.0.0/8") = true or incidr(action_local_ip,"192.168.0.0/16") = true or incidr(action_local_ip,"172.16.0.0/12") = true

You probably will see more results but will also get the traffic with PID 4 from System. This definitely requires more filtering in results, what I've seen so far.

Just to add ideas how to hunt for CVE-2023-23397

Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook

KanwarSingh01 — Fri, 31 Mar 2023 02:06:51 GMT

Any reason why you are using action_local_ip instead of action_remote_ip?

Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook

micomi — Mon, 03 Apr 2023 05:35:43 GMT

@KanwarSingh01 My snippet was thought as addition to yours. I'm using both, action_local_ip and action_remote_ip. My goal is to filter for traffic from internal devices (where Outlook is installed). Servers with public ip addresses aren't interesting in this case because there shouldn't be outlook installed.

config case_sensitive = false | preset = network_story | filter action_remote_ip != null | filter incidr(action_remote_ip,"127.0.0.0/8") = false | filter incidr(action_remote_ip,"10.0.0.0/8") = false | filter incidr(action_remote_ip,"192.168.0.0/16") = false | filter incidr(action_remote_ip,"172.16.0.0/12") = false | filter incidr(action_remote_ip,"169.254.0.0/16") = false | filter incidr(action_remote_ip,"224.0.0.0/4") = false | filter incidr(action_remote_ip,"255.255.255.255/32") = false | filter incidr(action_local_ip,"10.0.0.0/8") = true or incidr(action_local_ip,"192.168.0.0/16") = true or incidr(action_local_ip,"172.16.0.0/12") = true | iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region | fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO | sort desc _time

Here a full query of my idea. Just a suggestion if there is traffic from SYSTEM which doesn't fit you filter, then it could be helpful to query with network filters only.

Hope this helps

Re: Detection Logic For CVE-2023-23397 - Microsoft Outlook

KanwarSingh01 — Mon, 03 Apr 2023 06:05:44 GMT

Hmm.... I guess we have different environments.

Thanks for the reply.