BIOC detection for CVE-2023-2033

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

BIOC detection for CVE-2023-2033

L0 Member

Hi community,

 

I am attempting to create a BIOC detection for CVE-2023-2033. 

 

I can see via host insights there are some machines which are running versions vulnerable to this exploit, however I am looking to create a BIOC to trigger based on chrome being spawned with a version of 112.0.5615.121 or less. 

 

I can't seem to determine which query builder field will need to contain the version number.

 

Would anyone else have any insight into this? 

2 REPLIES 2

L4 Transporter

Hi @Callum_Crawford 

 

Apologies I had to remove my earlier post as using earlier XQL logic you may find the endpoints running that specific chrome version however using this preset you won't be able to create a BIOC rule.

 

preset = host_inventory_applications
| filter (application_name = "Google Chrome") and version <= "112.0.5615.121"

 

Let me check test and share it.

 

Thanks

L4 Transporter

Hi @Callum_Crawford 

 

Greetings! I have an update on your above Use Case, if I understood correctly you would like to detect endpoints vulnerable to CVE-2023-2033 and has chrome version 112.0.5615.121 or less running on that endpoint. Instead of BIOC to achieve this you may create Correlation Rule and the Alert/Incident will be triggered whenever there is match.

 

For Testing I tried below logic and it create alert for the use case I understood as shared above.

 

dataset = va_cves
| filter name = "CVE-2023-28293"
| arrayexpand affected_hosts
| join type = inner (preset = xdr_process | filter (actor_process_image_name contains "chrome") | dedup agent_hostname ) as end end.agent_hostname = affected_hosts
| join type = inner (preset = host_inventory_applications | filter (application_name = "Google Chrome") and version <= "112.0.5615.121") as ed ed.endpoint_name = affected_hosts
| dedup endpoint_name

You may further tune the query based on your requirement. 

 

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.


Regards.

  • 1040 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!