CVE-2023-36884 - Microsoft Office and Windows HTML RCE (demisto#28201)

* new pack for CVE-2023-36884

* update RN

* review fixes

Packs/CVE_2023_36884_-_Microsoft_Office_and_Windows_RCE/Playbooks/playbook-CVE-2023-36884_-_Microsoft_Office_and_Windows_HTML_RCE_README.md

@@ -0,0 +1,92 @@
+## CVE-2023-36884 - Microsoft Office and Windows HTML RCE
+
+**Summary:**
+
+Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release.
+
+CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.
+
+**This playbook should be triggered manually or can be configured as a job.** 
+
+Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type.
+
+**The playbook includes the following tasks:**
+
+**IoCs Collection**
+- Unit42 IoCs download
+
+**Hunting:**
+- Cortex XDR XQL exploitation patterns hunting
+- Advanced SIEM exploitation patterns hunting
+- Indicators hunting
+
+The hunting queries are searching for the following activities:
+  - Detects a Microsoft Office file drops a file called 'file001.url'.
+  - Suspicious New Instance Of An Office COM Object
+  - Change PowerShell Policies to an Insecure Level
+
+`Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.`
+
+**Mitigations:**
+- Microsoft mitigation measures
+
+**References:**
+
+[CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/)
+
+[Storm-0978 attacks reveal financial and espionage motives
+](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/)
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* QRadarFullSearch
+* Threat Hunting - Generic
+* Block Indicators - Generic v3
+* Rapid Breach Response - Set Incident Info
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* ParseHTMLIndicators
+* CreateNewIndicatorsOnly
+
+### Commands
+
+* splunk-search
+* xdr-xql-generic-query
+* es-eql-search
+* closeInvestigation
+* azure-log-analytics-execute-query
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| PlaybookDescription | The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook. | ## CVE-2023-36884 - Microsoft Office and Windows HTML RCE<br/><br/>**Summary:**<br/><br/>Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release.<br/><br/>CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.<br/><br/>**This playbook should be triggered manually or can be configured as a job.** <br/><br/>Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type.<br/><br/>**The playbook includes the following tasks:**<br/><br/>**IoCs Collection**<br/>- Unit42 IoCs download<br/><br/>**Hunting:**<br/>- Cortex XDR XQL exploitation patterns hunting<br/>- Advanced SIEM exploitation patterns hunting<br/>- Indicators hunting<br/><br/>The hunting queries are searching for the following activities:<br/>  - Detects a Microsoft Office file drops a file called 'file001.url'.<br/>  - Suspicious New Instance Of An Office COM Object<br/>  - Change PowerShell Policies to an Insecure Level<br/><br/>`Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.`<br/><br/>**Mitigations:**<br/>- Microsoft mitigation measures<br/><br/>**References:**<br/><br/>[CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/)<br/>[Storm-0978 attacks reveal financial and espionage motives<br/>](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/) | Optional |
+| autoBlockIndicators | Wether to block the indicators automatically. | True | Optional |
+| QRadarTimeRange | The time range for the QRadar queries. | Last 14 Days | Optional |
+| SplunkEarliestTime | The time range for the Splunk queries. | -14d@d | Optional |
+| ElasticEarliestTime | The time range for the Elastic queries. | now-14d/d | Optional |
+| LogAnalyticsTimespan | The time range for the Azure Log Analytics queries. | 14d | Optional |
+| XQLTimeRange | The time range for the XQL queries. | 14 days ago | Optional |
+| ElasticIndex | The elastic index to search in. |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![CVE-2023-36884 - Microsoft Office and Windows HTML RCE](../doc_files/CVE-2023-36884_-_Microsoft_Office_and_Windows_HTML_RCE.png)

Packs/CVE_2023_36884_-_Microsoft_Office_and_Windows_RCE/README.md

@@ -0,0 +1,18 @@
+## CVE-2023-36884 - Microsoft Office and Windows HTML RCE
+
+Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release.
+
+CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.
+
+This pack will provide you with a first response kit which includes:
+
+  * Threat Hunting Queries
+  * IoC Collection and Remediation
+  * Mitigation Measures
+
+**References:**
+
+[CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/)
+
+[Storm-0978 attacks reveal financial and espionage motives
+](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/)

Packs/CVE_2023_36884_-_Microsoft_Office_and_Windows_RCE/pack_metadata.json

@@ -0,0 +1,41 @@
+{
+    "name": "CVE-2023-36884 - Microsoft Office and Windows HTML RCE",
+    "description": "This pack handles CVE-2023-36884 - Microsoft Office and Windows HTML RCE vulnerability",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Case Management"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [
+        "zero-day",
+        "0-day",
+        "Microsoft",
+        "HTML",
+        "RCE",
+        "Remote Code Execution",
+        "IR",
+        "Incident Response",
+        "Response",
+        "CVE-2023-36884",
+        "36884",
+        "Storm-0978",
+        "RomCom",
+        "Office",
+        "Windows"
+    ],
+    "dependencies": {
+        "MajorBreachesInvestigationandResponse": {
+            "mandatory": true,
+            "display_name": "Rapid Breach Response"
+        }
+    },
+    "marketplaces": [
+        "xsoar",
+        "marketplacev2"
+    ]
+}

Packs/MajorBreachesInvestigationandResponse/.pack-ignore

@@ -50,4 +50,7 @@ ignore=RN113,RN114
 ignore=RM106
 
 [file:playbook-SolarStorm_and_SUNBURST_Hunting_and_Response_Playbook_6_5.yml]
-ignore=BA110
+ignore=BA110
+
+[file:1_6_35.md]
+ignore=RN113,RN114

Packs/MajorBreachesInvestigationandResponse/ReleaseNotes/1_6_35.md

@@ -0,0 +1,4 @@
+##### CVE-2023-36884 - Microsoft Office and Windows HTML RCE
+- New pack which handles the CVE-2023-36884 - Microsoft Office and Windows HTML RCE.
+  This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
+  our Marketplace.

Packs/MajorBreachesInvestigationandResponse/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Rapid Breach Response",
     "description": "This content Pack helps you collect, investigate, and remediate incidents related to major breaches.",
     "support": "xsoar",
-    "currentVersion": "1.6.34",
+    "currentVersion": "1.6.35",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -102,6 +102,10 @@
             "mandatory": false,
             "display_name": "Cloaked Ursa Diplomatic Phishing Campaign"
         },
+        "CVE_2023_36884_-_Microsoft_Office_and_Windows_RCE": {
+            "mandatory": false,
+            "display_name": "CVE-2023-36884 - Microsoft Office and Windows HTML RCE"
+        },
         "ServiceNow": {
             "mandatory": false,
             "display_name": "ServiceNow"