[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-updates
Subject: [Emerging-updates] Out-of-Band Ruleset Update Summary 2023/03/16
From: James Emery-Callcott <jcallcott () emergingthreats ! net>
Date: 2023-03-17 0:21:36
Message-ID: CAMAH=ZiHMQ4eYV+LMOEhL8sy8cn6-n661EHU3bQ9vJwJsSgjzw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[***] Summary: [***]
We are releasing this out-of-band ruleset update to address
CVE-2023-23397.
Signatures provided in this release are aimed at identifying potential
CVE-2023-23397 payloads in an SMTP context as well as a couple of
signatures that identify specific outbound SMB traffic. These SMB
signatures are disabled by default and will likely generate many false
positives due to the nature of the exploit activity when compared with
legitimate SMB usage.
You can find additional details on CVE-2023-23397 in the links provided
below. This includes a PowerShell script from Microsoft that searches
through Exchange messaging items and determines whether a property
(PidLidReminderFileParameter) contains a UNC path.
While the EXPLOIT signatures listed in this release are part of ETPRO, I
have made the decision to make these part of ET OPEN on Monday's release
(2023/03/20).
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
[+++] Added rules: [+++]
Open:
2044665 - ET INFO Outbound SMB NTLM Auth Attempt to External Address
(info.rules)
2044666 - ET INFO Outbound SMB Protocol Request to External Address
(info.rules)
Pro:
2853726 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M1 (CVE-2023-23397) (exploit.rules)
2853727 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M2 (CVE-2023-23397) (exploit.rules)
2853728 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M3 (CVE-2023-23397) (exploit.rules)
2853729 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M4 (CVE-2023-23397) (exploit.rules)
2853730 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M5 (CVE-2023-23397) (exploit.rules)
2853731 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M6 (CVE-2023-23397) (exploit.rules)
2853732 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M7 (CVE-2023-23397) (exploit.rules)
2853733 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege
Payload Observed M8 (CVE-2023-23397) (exploit.rules)
---------------------------------------
James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
[Attachment #5 (text/html)]
<div dir="ltr">[***] Summary: [***]<br><br> We \
are releasing this out-of-band ruleset update to address CVE-2023-23397.<br><br> \
Signatures provided in this release are aimed at identifying potential CVE-2023-23397 \
payloads in an SMTP context as well as a couple of signatures that identify specific \
outbound SMB traffic. These SMB signatures are disabled by default and will likely \
generate many false positives due to the nature of the exploit activity when compared \
with legitimate SMB usage.<br><br> You can find additional details on \
CVE-2023-23397 in the links provided below. This includes a PowerShell script from \
Microsoft that searches through Exchange messaging items and determines whether a \
property (PidLidReminderFileParameter) contains a UNC path.<br><br> While the \
EXPLOIT signatures listed in this release are part of ETPRO, I have made the decision \
to make these part of ET OPEN on Monday's release (2023/03/20).<br><br> <a \
href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397</a><br> \
<a href="https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation \
-of-privilege-vulnerability/">https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/</a><br> \
<a href="https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/">https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/</a><br> \
<a href="https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-e \
levation-of-privilege-vulnerability/">https://www.mdsec.co.uk/2023/03/exploiting-cve-2 \
023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/</a><br><br>[+++] \
Added rules: [+++]<br><br>Open:<br><br> 2044665 - ET INFO Outbound \
SMB NTLM Auth Attempt to External Address (info.rules)<br> 2044666 - ET INFO \
Outbound SMB Protocol Request to External Address (info.rules)<br><br>Pro:<br><br> \
2853726 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload \
Observed M1 (CVE-2023-23397) (exploit.rules)<br> 2853727 - ETPRO EXPLOIT Possible \
Microsoft Outlook Elevation of Privilege Payload Observed M2 (CVE-2023-23397) \
(exploit.rules)<br> 2853728 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of \
Privilege Payload Observed M3 (CVE-2023-23397) (exploit.rules)<br> 2853729 - ETPRO \
EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M4 \
(CVE-2023-23397) (exploit.rules)<br> 2853730 - ETPRO EXPLOIT Possible Microsoft \
Outlook Elevation of Privilege Payload Observed M5 (CVE-2023-23397) \
(exploit.rules)<br> 2853731 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of \
Privilege Payload Observed M6 (CVE-2023-23397) (exploit.rules)<br> 2853732 - ETPRO \
EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M7 \
(CVE-2023-23397) (exploit.rules)<br> 2853733 - ETPRO EXPLOIT Possible Microsoft \
Outlook Elevation of Privilege Payload Observed M8 (CVE-2023-23397) \
(exploit.rules)<br clear="all"><div><br></div><div dir="ltr" class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><table width="470" cellspacing="0" cellpadding="0" border="0" \
style="border-spacing:0px;border-collapse:collapse;color:rgb(51,51,51);font-family:Muli,sans-serif;font-size:13px"><tbody><tr><td \
style="padding:0px"><table cellspacing="0" cellpadding="0" border="0" \
style="border-spacing:0px;border-collapse:collapse;background-color:transparent"><tbody><tr><td \
valign="top" style="padding:0px 15px 0px 8px;font-size:1em"><table cellspacing="0" \
cellpadding="0" border="0" \
style="border-spacing:0px;border-collapse:collapse;background-color:transparent;line-h \
eight:1.4;font-family:Arial,Helvetica,sans-serif;font-size:11.7px;color:rgb(0,0,1)"><tbody><tr><td \
style="padding:0px"><div style="font-size:1.2em"><font color="#cccccc"><span \
style="font-size:12.8px">------------------------------</span><span \
style="font-size:12.8px">---------</span></font><br></div><div \
style="font-size:1.2em"><br></div><div style="font-size:1.2em">James \
Emery-Callcott</div></td></tr><tr><td style="padding:4px 0px"><div><span \
style="font-weight:700">Security Researcher</span> <span>| </span><span>ProofPoint \
Inc</span> <span>| </span><span>Emerging Threats Team</span></div></td></tr><tr><td \
style="padding:0px"><br><span></span></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></div><div \
dir="ltr"><br></div></div></div></div></div></div></div></div></div></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-updates mailing list
Emerging-updates@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic