This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BIOC detection for CVE-2023-2033

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BIOC detection for CVE-2023-2033

Callum_Crawford
L0 Member

‎04-17-2023 02:54 PM

Hi community,

 

I am attempting to create a BIOC detection for CVE-2023-2033. 

 

I can see via host insights there are some machines which are running versions vulnerable to this exploit, however I am looking to create a BIOC to trigger based on chrome being spawned with a version of 112.0.5615.121 or less. 

 

I can't seem to determine which query builder field will need to contain the version number.

 

Would anyone else have any insight into this? 

0 Likes Likes
2 REPLIES 2

PiyushKohli
L4 Transporter

‎04-17-2023 10:23 PM

Hi @Callum_Crawford 

 

Apologies I had to remove my earlier post as using earlier XQL logic you may find the endpoints running that specific chrome version however using this preset you won't be able to create a BIOC rule.

 

preset = host_inventory_applications
| filter (application_name = "Google Chrome") and version <= "112.0.5615.121"

 

Let me check test and share it.

 

Thanks

0 Likes Likes

PiyushKohli
L4 Transporter

‎04-19-2023 12:20 AM

Hi @Callum_Crawford 

 

Greetings! I have an update on your above Use Case, if I understood correctly you would like to detect endpoints vulnerable to CVE-2023-2033 and has chrome version 112.0.5615.121 or less running on that endpoint. Instead of BIOC to achieve this you may create Correlation Rule and the Alert/Incident will be triggered whenever there is match.

 

For Testing I tried below logic and it create alert for the use case I understood as shared above.

 

dataset = va_cves
| filter name = "CVE-2023-28293"
| arrayexpand affected_hosts
| join type = inner (preset = xdr_process | filter (actor_process_image_name contains "chrome") | dedup agent_hostname ) as end end.agent_hostname = affected_hosts
| join type = inner (preset = host_inventory_applications | filter (application_name = "Google Chrome") and version <= "112.0.5615.121") as ed ed.endpoint_name = affected_hosts
| dedup endpoint_name

You may further tune the query based on your requirement. 

 

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.


Regards.

0 Likes Likes
  • 1364 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks