Emerging Threatmediumtest
Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Apr 05Updated Mon Oct 13de96b824-02b0-4241-9356-7e9b47f04bac2023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Windowssmbclient-connectivity
ProductWindows← raw: windows
Servicesmbclient-connectivity← raw: smbclient-connectivity
Detection Logic
Detection Logic2 selectors
detection:
selection:
# Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
EventID:
# - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
- 30803 # Failed to establish a network connection.
- 30804 # A network connection was disconnected.
- 30806 # The client re-established its session to the server.
# - 31001 # Error (Doesn't contain the "ServerAddress" field)
filter_main_local_ips:
- ServerAddress|cidr:
# IPv4
- '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
- '172.16.0.0/12'
- '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
- Address|startswith:
# This is for EventID 30804, which doesn't have the "ServerAddress" field, but a field called "Address" and it contains a socket address (IP:Port) and not an IP
# IPv4
- '10.'
- '127.'
- '169.254.'
- '172.'
- '192.168.'
# IPv6
- '::1'
- 'fe80::'
- 'fc00::'
# The filters below cover the XML raw log
- Address|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
- ServerAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
- RemoteAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: selection and not 1 of filter_main_*False Positives
Some false positives may occur from external trusted servers. Apply additional filters accordingly
MITRE ATT&CK
Tactics
Other
cve.2023-23397detection.emerging-threats
Rule Metadata
Rule ID
de96b824-02b0-4241-9356-7e9b47f04bac
Status
test
Level
medium
Type
Emerging Threat
Created
Wed Apr 05
Modified
Mon Oct 13
Path
rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
Raw Tags
attack.exfiltrationcve.2023-23397detection.emerging-threats