![]() Track process execution events for the attempts of WebDAV connection.Observe the telemetry of Microsoft Defender for Endpoint and Microsoft Defender Identity, as well as the Exchange Server logging for any NTLM authentication that involves external or untrusted resources.Examine the following anomalous behavior: If you don’t identify any suspicious values through the scanning script, you can hunt for the indicators of compromise. It audits the Exchange server for malicious messages, including emails, tasks, and calendar items. Microsoft recommends using their Exchange scanning script as the first step of the threat-hunting process for the potential compromise. The rules are aligned with the latest MITRE ATT&CK® framework and supported by extensive metadata and relevant threat intelligence links. y clicking the Explore Detections button, you can instantly reach relevant Sigma rules for CVE-2023-23397 detection via registry_event, powershell, process_creation, and cmdline. To help organizations proactively detect CVE-2023-23397 exploitation attempts, SOC Prime Platform for collective cyber defense curates a set of verified context-enriched Sigma rules. Today, we’ll analyze this Outlook vulnerability and check several options for mitigating and detecting CVE-2023-23397. This allows adversaries to move laterally within the network to get more sensitive information. As a result of a successful CVE-2023-23397 exploit, an attacker can access the Net-NTLMv2 hash that contains the encrypted user’s credentials. The severity of CVE-2023-23397 is mainly credited to its nature of a zero-touch exploit, meaning that no user intersection is needed for a threat actor to exploit the vulnerability via a specific email or a calendar item sent to a user. The vulnerability is mainly targeting the European government, military, and energy sectors. It was first disclosed on March 14, 2023, and attributed to APT28, also known as Fancy Bear or Strontium – a threat actor associated with the Russian General Staff Main Intelligence Directorate (GRU). Microsoft Outlook Vulnerability AnalysisĬVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook with a CVSS base score of 9.8.Detecting Exploits for a CVE-2023-23397.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |