03-26-2023 10:15 AM
Hi Team,
Anyone having detection logic XQL query for CVE-2023-23397 - Microsoft Outlook EOP ? Cortex XDR #DetectionLogic #XQL #ThreatHunting #CVE-2023-23397
Thanks,
Gokul K
03-27-2023 06:28 AM
Hi @Gokul_K
Palo Alto Networks is aware of CVE-2023-23397, and our Engineering team is actively researching possible signature coverage based on all the reports we received and our own testing.
Thanks for your question.
03-29-2023 08:30 PM
The best option will be to patch the system.
I think the below two queries can help you hunt CVE-2023-23397
Query 1: Outbound Connection to Public IP on Port 445 or 139 via Outlook.exe (Some systems are showing network connection from PID 4 which is System which makes it hard to hunt.)
config case_sensitive = false
| preset = network_story
| filter actor_process_image_name = "outlook.exe" and action_remote_port in (445,139)
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false
| filter incidr(action_remote_ip,"192.168.0.0/16") = false
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time
Query 2: Outbound Connection via WebDav which will fallback if the above connection is not successful. (i.e. Outlook Not Connecting to SMB)
config case_sensitive = false
| preset = network_story
| filter actor_process_image_name = "rundll32.exe" and actor_process_command_line contains "DavSetCookie"
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false
| filter incidr(action_remote_ip,"192.168.0.0/16") = false
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _time
Regards
Kanwar
03-29-2023 11:21 PM - edited 03-29-2023 11:25 PM
Thank you for sharing @KanwarSingh01
I tried to create a similar query before where I didn't filter for outlook.exe but for all traffic going to these two ports. To achieve this I just filtered the local ip (to only see connections from internal devices):
| filter incidr(action_local_ip,"10.0.0.0/8") = true or incidr(action_local_ip,"192.168.0.0/16") = true or incidr(action_local_ip,"172.16.0.0/12") = true
You probably will see more results but will also get the traffic with PID 4 from System. This definitely requires more filtering in results, what I've seen so far.
Just to add ideas how to hunt for CVE-2023-23397
03-30-2023 07:06 PM
Any reason why you are using action_local_ip instead of action_remote_ip?
04-02-2023 10:35 PM
@KanwarSingh01 My snippet was thought as addition to yours. I'm using both, action_local_ip and action_remote_ip. My goal is to filter for traffic from internal devices (where Outlook is installed). Servers with public ip addresses aren't interesting in this case because there shouldn't be outlook installed.
config case_sensitive = false
| preset = network_story
| filter action_remote_ip != null
| filter incidr(action_remote_ip,"127.0.0.0/8") = false
| filter incidr(action_remote_ip,"10.0.0.0/8") = false
| filter incidr(action_remote_ip,"192.168.0.0/16") = false
| filter incidr(action_remote_ip,"172.16.0.0/12") = false
| filter incidr(action_remote_ip,"169.254.0.0/16") = false
| filter incidr(action_remote_ip,"224.0.0.0/4") = false
| filter incidr(action_remote_ip,"255.255.255.255/32") = false
| filter incidr(action_local_ip,"10.0.0.0/8") = true or incidr(action_local_ip,"192.168.0.0/16") = true or incidr(action_local_ip,"172.16.0.0/12") = true
| iploc action_remote_ip loc_asn, loc_asn_org, loc_country, loc_city, loc_region
| fields agent_hostname as Host, action_local_ip, action_remote_ip, action_remote_port, loc_asn, loc_asn_org, loc_country, loc_city, loc_region, actor_process_image_name as Process, actor_process_os_pid as PID, actor_process_command_line as Command, actor_process_image_path as Path, actor_process_signature_status as SignerStatus, actor_process_signature_vendor as Vendor, causality_actor_process_image_name as CGO
| sort desc _timeHere a full query of my idea. Just a suggestion if there is traffic from SYSTEM which doesn't fit you filter, then it could be helpful to query with network filters only.
Hope this helps
04-02-2023 11:05 PM
Hmm.... I guess we have different environments.
Thanks for the reply.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
