Detection Logic For CVE-2023-23397 - Microsoft Outlook

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Detection Logic For CVE-2023-23397 - Microsoft Outlook

L1 Bithead

Hi Team,

 

Anyone having detection logic XQL query for CVE-2023-23397 - Microsoft Outlook EOP ? Cortex XDR #DetectionLogic #XQL #ThreatHunting #CVE-2023-23397

 

Thanks,

Gokul K

 

6 REPLIES 6

L4 Transporter

Hi @Gokul_K 

 

Palo Alto Networks is aware of CVE-2023-23397, and our Engineering team is actively researching possible signature coverage based on all the reports we received and our own testing. 

 

Thanks for your question.

 

L3 Networker

The best option will be to patch the system.

 

I think the below two queries can help you hunt CVE-2023-23397

 

Query 1: Outbound Connection to Public IP on Port 445 or 139 via Outlook.exe (Some systems are showing network connection from PID 4 which is System which makes it hard to hunt.)

config case_sensitive = false 
| preset = network_story 
| filter actor_process_image_name = "outlook.exe" and action_remote_port in (445,139)
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false 
| filter incidr(action_remote_ip,"192.168.0.0/16") = false 
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false 
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region 
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time

  

Query 2: Outbound Connection via WebDav which will fallback if the above connection is not successful. (i.e. Outlook Not Connecting to SMB)

config case_sensitive = false 
| preset = network_story 
| filter actor_process_image_name = "rundll32.exe" and actor_process_command_line contains "DavSetCookie"
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false 
| filter incidr(action_remote_ip,"192.168.0.0/16") = false 
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false 
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region 
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time

 

Regards

Kanwar

Kind Regards
KS

L2 Linker

Thank you for sharing @KanwarSingh01 

I tried to create a similar query before where I didn't filter for outlook.exe but for all traffic going to these two ports. To achieve this I just filtered the local ip (to only see connections from internal devices):

 

| filter incidr(action_local_ip,"10.0.0.0/8") = true or incidr(action_local_ip,"192.168.0.0/16") = true or incidr(action_local_ip,"172.16.0.0/12") = true

 

You probably will see more results but will also get the traffic with PID 4 from System. This definitely requires more filtering in results, what I've seen so far.

Just to add ideas how to hunt for CVE-2023-23397

Any reason why you are using action_local_ip instead of action_remote_ip?

Kind Regards
KS

L2 Linker

@KanwarSingh01 My snippet was thought as addition to yours. I'm using both, action_local_ip and action_remote_ip. My goal is to filter for traffic from internal devices (where Outlook is installed). Servers with public ip addresses aren't interesting in this case because there shouldn't be outlook installed.

config case_sensitive = false 
| preset = network_story 
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false 
| filter incidr(action_remote_ip,"192.168.0.0/16") = false 
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false 
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| filter incidr(action_local_ip,"10.0.0.0/8") = true or incidr(action_local_ip,"192.168.0.0/16") = true or incidr(action_local_ip,"172.16.0.0/12") = true
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region 
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time

Here a full query of my idea. Just a suggestion if there is traffic from SYSTEM which doesn't fit you filter, then it could be helpful to query with network filters only.

Hope this helps

L3 Networker

Hmm.... I guess we have different environments.

 

Thanks for the reply.

Kind Regards
KS
  • 2060 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!