CVE-2023-36884 - Microsoft Office and Windows HTML RCE

## CVE-2023-36884 - Microsoft Office and Windows HTML RCE **Summary:** Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release. CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents. **This playbook should be triggered manually or can be configured as a job.** Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type. **The playbook includes the following tasks:** **IoCs Collection** - Unit42 IoCs download **Hunting:** - PANW Hunting: - Cortex XDR XQL exploitation patterns hunting - Panorama Threat IDs hunting - Advanced SIEM exploitation patterns hunting - Indicators hunting - Endpoints by CVE hunting The hunting queries are searching for the following activities: - Detects a Microsoft Office file drops a file called 'file001.url'. - Suspicious New Instance Of An Office COM Object - Change PowerShell Policies to an Insecure Level `Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.` **Mitigations:** - Microsoft mitigation measures **References:** [CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/) [Storm-0978 attacks reveal financial and espionage motives ](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/)

CVE-2023-36884 - Microsoft Office and Windows HTML RCE · 51 tasks · 8 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • XQLTimeRange — The time range for the XQL queries.
  • SplunkEarliestTime — The time range for the Splunk queries.
  • ElasticEarliestTime — The time range for the Elastic queries.
  • ElasticIndex — The elastic index to search in.
  • LogAnalyticsTimespan — The time range for the Azure Log Analytics queries.
  • QRadarTimeRange — The time range for the QRadar queries.
  • autoBlockIndicators — Wether to block the indicators automatically.

Commands used

azure-log-analytics-execute-query closeInvestigation es-eql-search splunk-search xdr-xql-generic-query

Flowchart

Yes Yes Yes yes Yes Yes yes Start Start Collect Indicators Collect Indicators Collect IoCs from Unit42 - ParseHTMLIndicators Collect IoCs from Unit42 ParseHTMLIndicators Tag Indicators Tag Indicators Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Tag Domain Indicators - CreateNewIndicatorsOnly Tag Domain Indicators CreateNewIndicatorsOnly Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Indicators Hunting Indicators Hunting PANW Hunting PANW Hunting Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Is Splunk Enabled? Is Splunk Enabled? Is QRadar Enabled? Is QRadar Enabled? Is Elasticsearch Enabled? Is Elasticsearch Enabled? Is Azure Log Analytics Enabled? Is Azure Log Analytics En... Microsoft Word drops file named 'file001.url' - azure-log-analytics-execute-query Microsoft Word drops file... azure-log-analytics-execute-q... Microsoft Word drops file named 'file001.url' - splunk-search Microsoft Word drops file... splunk-search Microsoft Word drops file named 'file001.url' - es-eql-search Microsoft Word drops file... es-eql-search QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Is Cortex XDR - XQL Enabled? Is Cortex XDR - XQL Enabled? Microsoft Word drops file named 'file001.url' - xdr-xql-generic-query Microsoft Word drops file... xdr-xql-generic-query Change PowerShell Policies to an Insecure Level - xdr-xql-generic-query Change PowerShell Policie... xdr-xql-generic-query Should continue with the investigation? Should continue with the ... Should block indicators automatically? Should block indicators a... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Handle indicators manually Handle indicators manually Investigate further Investigate further Done Done Remediation Remediation Mitigation Mitigation Microsoft mitigation measures Microsoft mitigation meas... Resolution Resolution Tag File Indicators - CreateNewIndicatorsOnly Tag File Indicators CreateNewIndicatorsOnly Close Investigation - closeInvestigation Close Investigation closeInvestigation Change PowerShell Policies to an Insecure Level - azure-log-analytics-execute-query Change PowerShell Policie... azure-log-analytics-execute-q... Change PowerShell Policies to an Insecure Level - splunk-search Change PowerShell Policie... splunk-search Change PowerShell Policies to an Insecure Level - es-eql-search Change PowerShell Policie... es-eql-search QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Tag CVE Indicators - CreateNewIndicatorsOnly Tag CVE Indicators CreateNewIndicatorsOnly Tag IP Indicators - CreateNewIndicatorsOnly Tag IP Indicators CreateNewIndicatorsOnly Suspicious New Instance Of An Office COM Object - azure-log-analytics-execute-query Suspicious New Instance O... azure-log-analytics-execute-q... Suspicious New Instance Of An Office COM Object - splunk-search Suspicious New Instance O... splunk-search Suspicious New Instance Of An Office COM Object - es-eql-search Suspicious New Instance O... es-eql-search QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Suspicious New Instance Of An Office COM Object - xdr-xql-generic-query Suspicious New Instance O... xdr-xql-generic-query Panorama Threat Prevention Panorama Threat Prevention Panorama Query Logs - Panorama Query Logs Panorama Query Logs Panorama Query Logs CVE Hunting CVE Hunting Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic