CVE-2023-23397 - Microsoft Outlook EoP

### CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook #### Summary Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. #### Affected Products All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected. #### Technical Details CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. **This playbook should be triggered manually or can be configured as a job.** Please create a new incident and choose the CVE-2023-23397 - Microsoft Outlook EoP playbook and Rapid Breach Response incident type. **The playbook includes the following tasks:** **Hunting:** - Panorama Threat IDs - Cortex XDR - XQL hunting query - BTP hunting - Microsoft PowerShell hunting script - Advanced SIEM hunting queries - Indicators hunting - Endpoint by CVE hunting **Mitigations:** - Cortex XDR Advanced API Monitoring - Microsoft official CVE-2023-23397 patch - Microsoft workarounds - Detection Rules - Yara **References:** [Microsoft Mitigates Outlook Elevation of Privilege Vulnerability](https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/) [CVE-2023-23397 Audit & Eradication Script](https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md) [Neo23x0 Yara Rules](https://github.com/Neo23x0/signature-base/blob/master/yara/expl_outlook_cve_2023_23397.yar) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2023-23397 - Microsoft Outlook EoP · 57 tasks · 6 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • autoBlockIndicators — Whether to block the indicators automatically.
  • QRadarTimeRange — The time range to search for indicators in the Threat Hunting - Generic playbook.
  • SplunkEarliestTime — The earliest time to search for indicators in the Threat Hunting - Generic playbook.
  • SplunkLatestTime — The latest time to search for indicators in the Threat Hunting - Generic playbook.
  • XQLTimeRange — The time range for the Cortex XDR XQL query.

Commands used

associateIndicatorsToIncident azure-log-analytics-execute-query es-eql-search splunk-search xdr-get-alerts xdr-xql-generic-query

Flowchart

Yes Yes Yes yes yes Manual Yes yes yes Yes yes Start Start Collect Indicators Collect Indicators Microsoft PS hunting script - HttpV2 Microsoft PS hunting script HttpV2 Tag Indicators Tag Indicators Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident Tag CVE Indicators - CreateNewIndicatorsOnly Tag CVE Indicators CreateNewIndicatorsOnly Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? Is Splunk Enabled? Is QRadar Enabled? Is QRadar Enabled? Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Is Elasticsearch Enabled? Is Elasticsearch Enabled? Is Azure Log Analytics Enabled? Is Azure Log Analytics En... Outlook initiating connection to WebDAV or SMB share - azure-log-analytics-execute-query Outlook initiating connec... azure-log-analytics-execute-q... Outlook initiating connection to WebDAV or SMB share - splunk-search Outlook initiating connec... splunk-search Outlook initiating connection to WebDAV or SMB share - es-eql-search Outlook initiating connec... es-eql-search Collect IoCs from DeepInstinct - ParseHTMLIndicators Collect IoCs from DeepIns... ParseHTMLIndicators Download IR Tools Download IR Tools Tag IP Indicators - CreateNewIndicatorsOnly Tag IP Indicators CreateNewIndicatorsOnly Outlook initiating connection to WebDAV or SMB share - QRadarFullSearch Outlook initiating connec... QRadarFullSearch PowerShell Hunting PowerShell Hunting Run CVE-2023-23397 hunting script Run CVE-2023-23397 huntin... Verify PowerShell hunting script results Verify PowerShell hunting... Found suspicious email files? Found suspicious email fi... Upload email files for analysis? Upload email files for an... Process Email - Generic v2 - Process Email - Generic v2 Process Email - Generic v2 Process Email - Generic v2 Upload suspicious emails for processing Upload suspicious emails ... Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Resolution Resolution Should block indicators automatically? Should block indicators a... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Handle indicators manually Handle indicators manually Investigate further Investigate further Done Done Indicators Hunting Indicators Hunting Review found email files manually Review found email files ... Mitigation Mitigation Microsoft mitigating factors Microsoft mitigating factors Patch vulnerable servers Patch vulnerable servers Download Signatures Download Signatures Download Yara Rules - HttpV2 Download Yara Rules HttpV2 Deploy Yara rules Deploy Yara rules Cortex XDR Cortex XDR Suspicious WebDAV request to an external destination - xdr-xql-generic-query Suspicious WebDAV request... xdr-xql-generic-query Is Cortex XDR XQL Query Engine Enabled? Is Cortex XDR XQL Query E... Should continue with the investigation? Should continue with the ... IPS Signatures IPS Signatures Panorama Query Logs - Panorama Query Logs Panorama Query Logs Panorama Query Logs Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic Endpoints by CVE Hunting Endpoints by CVE Hunting XQL Hunting XQL Hunting BTP Hunting BTP Hunting Search CVE-2023-23397 alerts - xdr-get-alerts Search CVE-2023-23397 alerts xdr-get-alerts Found relevant alerts? Found relevant alerts? Respond to exploitation attempts caught by Cortex XDR Respond to exploitation a... Cortex XDR Advanced API Monitoring Cortex XDR Advanced API M...