CVE-2023-23397 - Microsoft Outlook EoP

This pack handles Microsoft Outlook EoP CVE-2023-23397 vulnerability

This pack is part of the Rapid Breach Response pack.

CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook

Summary

Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.

The playbook includes the following tasks:

Hunting:

Microsoft PowerShell hunting script
Advanced SIEM hunting queries
Indicators hunting

Mitigations:

Microsoft official CVE-2023-23397 patch
Microsoft workarounds
Detection Rules
- Yara

References:

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
CVE-2023-23397 Audit & Eradication Script
Neo23x0 Yara Rules

This pack is part of the Rapid Breach Response pack.

CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook

Summary

The playbook includes the following tasks:

Hunting:

Microsoft PowerShell hunting script
Advanced SIEM hunting queries
Indicators hunting

Mitigations:

Microsoft official CVE-2023-23397 patch
Microsoft workarounds
Detection Rules
- Yara

References:

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
CVE-2023-23397 Audit & Eradication Script
Neo23x0 Yara Rules

Playbooks

Name	Description
CVE-2023-23397 - Microsoft Outlook EoP	CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook Summary Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. Affected Products All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected. Technical Details CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2023-23397 - Microsoft Outlook EoP playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Hunting: Panorama Threat IDs Cortex XDR XQL hunting query BTP hunting Microsoft PowerShell hunting script Advanced SIEM hunting queries Indicators hunting Endpoint by CVE hunting Mitigations: Cortex XDR Advanced API Monitoring Microsoft official CVE-2023-23397 patch Microsoft workarounds Detection Rules Yara References: Microsoft Mitigates Outlook Elevation of Privilege Vulnerability CVE-2023-23397 Audit & Eradication Script Neo23x0 Yara Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2023-23397 - Microsoft Outlook EoP

CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook

Summary

Affected Products

All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

Technical Details

CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.

The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.

This playbook should be triggered manually or can be configured as a job.
Please create a new incident and choose the CVE-2023-23397 - Microsoft Outlook EoP playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

Hunting:

Panorama Threat IDs
Cortex XDR
- XQL hunting query
- BTP hunting
Microsoft PowerShell hunting script
Advanced SIEM hunting queries
Indicators hunting
Endpoint by CVE hunting

Mitigations:

Cortex XDR Advanced API Monitoring
Microsoft official CVE-2023-23397 patch
Microsoft workarounds
Detection Rules
- Yara

References:

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability

CVE-2023-23397 Audit & Eradication Script

Neo23x0 Yara Rules

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Playbooks

Name	Description
CVE-2023-23397 - Microsoft Outlook EoP	CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook Summary Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. Affected Products All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected. Technical Details CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. This playbook should be triggered manually or can be configured as a job. Please create a new alert and choose the CVE-2023-23397 - Microsoft Outlook EoP playbook and Rapid Breach Response alert type. The playbook includes the following tasks: Hunting: Panorama Threat IDs Cortex XDR XQL hunting query BTP hunting Microsoft PowerShell hunting script Advanced SIEM hunting queries Indicators hunting Endpoint by CVE hunting Mitigations: Cortex XDR Advanced API Monitoring Microsoft official CVE-2023-23397 patch Microsoft workarounds Detection Rules Yara References: Microsoft Mitigates Outlook Elevation of Privilege Vulnerability CVE-2023-23397 Audit & Eradication Script Neo23x0 Yara Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2023-23397 - Microsoft Outlook EoP

CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook

Summary

Affected Products

Technical Details

This playbook should be triggered manually or can be configured as a job.
Please create a new alert and choose the CVE-2023-23397 - Microsoft Outlook EoP playbook and Rapid Breach Response alert type.

The playbook includes the following tasks:

Hunting:

Panorama Threat IDs
Cortex XDR
- XQL hunting query
- BTP hunting
Microsoft PowerShell hunting script
Advanced SIEM hunting queries
Indicators hunting
Endpoint by CVE hunting

Mitigations:

Cortex XDR Advanced API Monitoring
Microsoft official CVE-2023-23397 patch
Microsoft workarounds
Detection Rules
- Yara

References:

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability

CVE-2023-23397 Audit & Eradication Script

Neo23x0 Yara Rules

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (8)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

All level dependencies (13)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR