forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2023-36884 - Microsoft Office and Windows HTML RCE (demisto#28201)
* new pack for CVE-2023-36884 * update RN * review fixes
- Loading branch information
Showing
10 changed files
with
2,378 additions
and
2 deletions.
There are no files selected for viewing
Empty file.
Empty file.
2,214 changes: 2,214 additions & 0 deletions
2,214
...Windows_RCE/Playbooks/playbook-CVE-2023-36884_-_Microsoft_Office_and_Windows_HTML_RCE.yml
Large diffs are not rendered by default.
Oops, something went wrong.
92 changes: 92 additions & 0 deletions
92
...books/playbook-CVE-2023-36884_-_Microsoft_Office_and_Windows_HTML_RCE_README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
## CVE-2023-36884 - Microsoft Office and Windows HTML RCE | ||
|
||
**Summary:** | ||
|
||
Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release. | ||
|
||
CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents. | ||
|
||
**This playbook should be triggered manually or can be configured as a job.** | ||
|
||
Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type. | ||
|
||
**The playbook includes the following tasks:** | ||
|
||
**IoCs Collection** | ||
- Unit42 IoCs download | ||
|
||
**Hunting:** | ||
- Cortex XDR XQL exploitation patterns hunting | ||
- Advanced SIEM exploitation patterns hunting | ||
- Indicators hunting | ||
|
||
The hunting queries are searching for the following activities: | ||
- Detects a Microsoft Office file drops a file called 'file001.url'. | ||
- Suspicious New Instance Of An Office COM Object | ||
- Change PowerShell Policies to an Insecure Level | ||
|
||
`Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.` | ||
|
||
**Mitigations:** | ||
- Microsoft mitigation measures | ||
|
||
**References:** | ||
|
||
[CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/) | ||
|
||
[Storm-0978 attacks reveal financial and espionage motives | ||
](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/) | ||
|
||
## Dependencies | ||
|
||
This playbook uses the following sub-playbooks, integrations, and scripts. | ||
|
||
### Sub-playbooks | ||
|
||
* QRadarFullSearch | ||
* Threat Hunting - Generic | ||
* Block Indicators - Generic v3 | ||
* Rapid Breach Response - Set Incident Info | ||
|
||
### Integrations | ||
|
||
This playbook does not use any integrations. | ||
|
||
### Scripts | ||
|
||
* ParseHTMLIndicators | ||
* CreateNewIndicatorsOnly | ||
|
||
### Commands | ||
|
||
* splunk-search | ||
* xdr-xql-generic-query | ||
* es-eql-search | ||
* closeInvestigation | ||
* azure-log-analytics-execute-query | ||
|
||
## Playbook Inputs | ||
|
||
--- | ||
|
||
| **Name** | **Description** | **Default Value** | **Required** | | ||
| --- | --- | --- | --- | | ||
| PlaybookDescription | The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook. | ## CVE-2023-36884 - Microsoft Office and Windows HTML RCE<br/><br/>**Summary:**<br/><br/>Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release.<br/><br/>CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents.<br/><br/>**This playbook should be triggered manually or can be configured as a job.** <br/><br/>Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type.<br/><br/>**The playbook includes the following tasks:**<br/><br/>**IoCs Collection**<br/>- Unit42 IoCs download<br/><br/>**Hunting:**<br/>- Cortex XDR XQL exploitation patterns hunting<br/>- Advanced SIEM exploitation patterns hunting<br/>- Indicators hunting<br/><br/>The hunting queries are searching for the following activities:<br/> - Detects a Microsoft Office file drops a file called 'file001.url'.<br/> - Suspicious New Instance Of An Office COM Object<br/> - Change PowerShell Policies to an Insecure Level<br/><br/>`Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.`<br/><br/>**Mitigations:**<br/>- Microsoft mitigation measures<br/><br/>**References:**<br/><br/>[CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/)<br/>[Storm-0978 attacks reveal financial and espionage motives<br/>](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/) | Optional | | ||
| autoBlockIndicators | Wether to block the indicators automatically. | True | Optional | | ||
| QRadarTimeRange | The time range for the QRadar queries. | Last 14 Days | Optional | | ||
| SplunkEarliestTime | The time range for the Splunk queries. | -14d@d | Optional | | ||
| ElasticEarliestTime | The time range for the Elastic queries. | now-14d/d | Optional | | ||
| LogAnalyticsTimespan | The time range for the Azure Log Analytics queries. | 14d | Optional | | ||
| XQLTimeRange | The time range for the XQL queries. | 14 days ago | Optional | | ||
| ElasticIndex | The elastic index to search in. | | Optional | | ||
|
||
## Playbook Outputs | ||
|
||
--- | ||
There are no outputs for this playbook. | ||
|
||
## Playbook Image | ||
|
||
--- | ||
|
||
![CVE-2023-36884 - Microsoft Office and Windows HTML RCE](../doc_files/CVE-2023-36884_-_Microsoft_Office_and_Windows_HTML_RCE.png) |
18 changes: 18 additions & 0 deletions
18
Packs/CVE_2023_36884_-_Microsoft_Office_and_Windows_RCE/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
## CVE-2023-36884 - Microsoft Office and Windows HTML RCE | ||
|
||
Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release. | ||
|
||
CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents. | ||
|
||
This pack will provide you with a first response kit which includes: | ||
|
||
* Threat Hunting Queries | ||
* IoC Collection and Remediation | ||
* Mitigation Measures | ||
|
||
**References:** | ||
|
||
[CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/) | ||
|
||
[Storm-0978 attacks reveal financial and espionage motives | ||
](https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/) |
Binary file added
BIN
+548 KB
...indows_RCE/doc_files/CVE-2023-36884_-_Microsoft_Office_and_Windows_HTML_RCE.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
41 changes: 41 additions & 0 deletions
41
Packs/CVE_2023_36884_-_Microsoft_Office_and_Windows_RCE/pack_metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
{ | ||
"name": "CVE-2023-36884 - Microsoft Office and Windows HTML RCE", | ||
"description": "This pack handles CVE-2023-36884 - Microsoft Office and Windows HTML RCE vulnerability", | ||
"support": "xsoar", | ||
"currentVersion": "1.0.0", | ||
"author": "Cortex XSOAR", | ||
"url": "https://www.paloaltonetworks.com/cortex", | ||
"email": "", | ||
"categories": [ | ||
"Case Management" | ||
], | ||
"tags": [], | ||
"useCases": [], | ||
"keywords": [ | ||
"zero-day", | ||
"0-day", | ||
"Microsoft", | ||
"HTML", | ||
"RCE", | ||
"Remote Code Execution", | ||
"IR", | ||
"Incident Response", | ||
"Response", | ||
"CVE-2023-36884", | ||
"36884", | ||
"Storm-0978", | ||
"RomCom", | ||
"Office", | ||
"Windows" | ||
], | ||
"dependencies": { | ||
"MajorBreachesInvestigationandResponse": { | ||
"mandatory": true, | ||
"display_name": "Rapid Breach Response" | ||
} | ||
}, | ||
"marketplaces": [ | ||
"xsoar", | ||
"marketplacev2" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
Packs/MajorBreachesInvestigationandResponse/ReleaseNotes/1_6_35.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
##### CVE-2023-36884 - Microsoft Office and Windows HTML RCE | ||
- New pack which handles the CVE-2023-36884 - Microsoft Office and Windows HTML RCE. | ||
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via | ||
our Marketplace. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters