CVE-2023-36884 - Microsoft Office and Windows HTML RCE

Details
Content
Dependencies
Version History

This pack handles CVE-2023-36884 - Microsoft Office and Windows HTML RCE vulnerability

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release.

CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.

This pack will provide you with a first response kit which includes:

Threat Hunting Queries
IoC Collection and Remediation
Mitigation Measures

References:

CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief

Storm-0978 attacks reveal financial and espionage motives

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.

This pack will provide you with a first response kit which includes:

Threat Hunting Queries
IoC Collection and Remediation
Mitigation Measures

References:

CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief

Storm-0978 attacks reveal financial and espionage motives

Playbooks

Name Description

Name	Description
CVE-2023-36884 - Microsoft Office and Windows HTML RCE	CVE-2023-36884 - Microsoft Office and Windows HTML RCE Summary: Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release. CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents. This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type. The playbook includes the following tasks: IoCs Collection Unit42 IoCs download Hunting: PANW Hunting: Cortex XDR XQL exploitation patterns hunting Panorama Threat IDs hunting Advanced SIEM exploitation patterns hunting Indicators hunting Endpoints by CVE hunting The hunting queries are searching for the following activities: Detects a Microsoft Office file drops a file called 'file001.url'. Suspicious New Instance Of An Office COM Object Change PowerShell Policies to an Insecure Level `Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.` Mitigations: Microsoft mitigation measures References: CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief Storm-0978 attacks reveal financial and espionage motives

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

Summary:

CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.

This playbook should be triggered manually or can be configured as a job.

Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

IoCs Collection

Unit42 IoCs download

Hunting:

PANW Hunting:
- Cortex XDR XQL exploitation patterns hunting
- Panorama Threat IDs hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting
Endpoints by CVE hunting

The hunting queries are searching for the following activities:

Detects a Microsoft Office file drops a file called 'file001.url'.
Suspicious New Instance Of An Office COM Object
Change PowerShell Policies to an Insecure Level

Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.

Mitigations:

Microsoft mitigation measures

References:

CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief
Storm-0978 attacks reveal financial and espionage motives

Playbooks

Name Description

Name	Description
CVE-2023-36884 - Microsoft Office and Windows HTML RCE	CVE-2023-36884 - Microsoft Office and Windows HTML RCE Summary: Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release. CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents. This playbook should be triggered manually or can be configured as a job. Please create a new alert and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response alert type. The playbook includes the following tasks: IoCs Collection Unit42 IoCs download Hunting: PANW Hunting: Cortex XDR XQL exploitation patterns hunting Panorama Threat IDs hunting Advanced SIEM exploitation patterns hunting Indicators hunting Endpoints by CVE hunting The hunting queries are searching for the following activities: Detects a Microsoft Office file drops a file called 'file001.url'. Suspicious New Instance Of An Office COM Object Change PowerShell Policies to an Insecure Level `Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.` Mitigations: Microsoft mitigation measures References: CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief Storm-0978 attacks reveal financial and espionage motives

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

Summary:

CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.

This playbook should be triggered manually or can be configured as a job.

Please create a new alert and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response alert type.

The playbook includes the following tasks:

IoCs Collection

Unit42 IoCs download

Hunting:

PANW Hunting:
- Cortex XDR XQL exploitation patterns hunting
- Panorama Threat IDs hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting
Endpoints by CVE hunting

The hunting queries are searching for the following activities:

Detects a Microsoft Office file drops a file called 'file001.url'.
Suspicious New Instance Of An Office COM Object
Change PowerShell Policies to an Insecure Level

Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.

Mitigations:

Microsoft mitigation measures

References:

CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief
Storm-0978 attacks reveal financial and espionage motives

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (7)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Splunk	By: Cortex XSOAR

All level dependencies (14)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 18, 2023
Last Release	March 23, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.