04-17-2023 02:54 PM
I am attempting to create a BIOC detection for CVE-2023-2033.
I can see via host insights there are some machines which are running versions vulnerable to this exploit, however I am looking to create a BIOC to trigger based on chrome being spawned with a version of 112.0.5615.121 or less.
I can't seem to determine which query builder field will need to contain the version number.
Would anyone else have any insight into this?
04-17-2023 10:23 PM
Apologies I had to remove my earlier post as using earlier XQL logic you may find the endpoints running that specific chrome version however using this preset you won't be able to create a BIOC rule.
preset = host_inventory_applications
| filter (application_name = "Google Chrome") and version <= "112.0.5615.121"
Let me check test and share it.
04-19-2023 12:20 AM
Greetings! I have an update on your above Use Case, if I understood correctly you would like to detect endpoints vulnerable to CVE-2023-2033 and has chrome version 112.0.5615.121 or less running on that endpoint. Instead of BIOC to achieve this you may create Correlation Rule and the Alert/Incident will be triggered whenever there is match.
For Testing I tried below logic and it create alert for the use case I understood as shared above.
dataset = va_cves
| filter name = "CVE-2023-28293"
| arrayexpand affected_hosts
| join type = inner (preset = xdr_process | filter (actor_process_image_name contains "chrome") | dedup agent_hostname ) as end end.agent_hostname = affected_hosts
| join type = inner (preset = host_inventory_applications | filter (application_name = "Google Chrome") and version <= "112.0.5615.121") as ed ed.endpoint_name = affected_hosts
| dedup endpoint_name
You may further tune the query based on your requirement.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!