CVE-2023-23397 Exploitation Attempt

Rule Info

Name
CVE-2023-23397 Exploitation Attempt
Author
Robert Lee @quantum_cookie
Description
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
Reference
https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
Date
2023-03-16 00:00:00
Modified
2023-03-22 00:00:00
Id
73c59189-6a6d-4b9f-a748-8f6f9bbed75c
Tags
attack.credential_access attack.initial_access cve.2023.23397 detection.emerging_threats DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=73c59189-6a6d-4b9f-a748-8f6f9bbed75c

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4700 from @nasbench - Promote older rules status from `experimental` to `test`
2024-02-01
367ebd939
frack113
Update tags
2023-06-20
8c5dba374
Nasreddine Bencherchali
chore: move rules to new folders (#4205)
2023-05-02
637d61088
xFFninja
fix: update incorrect event field `Accesses` (#4133)
2023-03-22
a0732b0d1
Nasreddine Bencherchali
fix: remove backslash and add example
2023-03-17
4bcf5b75a
Nasreddine Bencherchali
fix: add definition section
2023-03-17
4a171ae82
Nasreddine Bencherchali
fix: update rule for SIGMAHQ standard
2023-03-17
cf49c5d50
leer-ts
Create win_security_outlook_remote_file.yml
2023-03-17
d45630553
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022