TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Everything We Know About CVE-2023-23397 | Huntress

2023-03-17 · Read original ↗

ATT&CK techniques detected

10 predictions
T1218.011Rundll32
98%
"the very last, or last couple rundll32. exe process command - line arguments ( shown again below ), will append a. wav file extension at the end of the webdav url. rundll32. exe c : \ windows \ system32 \ davclnt. dll, davsetcookie [ remote - host ] http : / / [ remote - host ] /…"
T1218.011Rundll32
88%
"##dll32. exe processes do spawn, only a few ( two to three ) are invoked. to demonstrate this, observe the following manual trigger of the cve - 2023 - 23397 exploit, with responder running but few rundll32. exe processes started. however, view this subsequent responder example j…"
T1557.001Name Resolution Poisoning and SMB Relay
56%
"s calendar, attached in an email, or sent naturally within outlook. at huntress, security researcher john hammond was able to stitch together a crude proof - of - concept. for the sake of demonstration, this showcases receiving an email, the manual process of adding the appointme…"
T1566.001Spearphishing Attachment
49%
"portions of the malicious calendar invitation. - huntress security researchers recreate the proof - of - concept - will dormann explores the potential of malicious invites with rtf / tfnet - thursday, march 16, 2023 - florian roth of nextron systems begins developing a sigma rule…"
T1550.002Pass the Hash
48%
"s calendar, attached in an email, or sent naturally within outlook. at huntress, security researcher john hammond was able to stitch together a crude proof - of - concept. for the sake of demonstration, this showcases receiving an email, the manual process of adding the appointme…"
T1557.001Name Resolution Poisoning and SMB Relay
39%
"issues with other applications and is recommended as only a temporary mitigation. additionally, you can block tcp 445 / smb outbound traffic from the edge of your network or local firewalls, so ntlm authentication cannot reach external file shares. this is another suggestion to b…"
T1187Forced Authentication
37%
"observed procmon logs, both filtered on only process events and all signals, here. when a malicious calendar invite is delivered and the reminder notification is triggered : - svchost. exe spawns a child process rundll32. exe - rundll32. exe c : \ windows \ system32 \ davclnt. dl…"
T1566.002Spearphishing Link
36%
"portions of the malicious calendar invitation. - huntress security researchers recreate the proof - of - concept - will dormann explores the potential of malicious invites with rtf / tfnet - thursday, march 16, 2023 - florian roth of nextron systems begins developing a sigma rule…"
T1557.001Name Resolution Poisoning and SMB Relay
33%
"observed procmon logs, both filtered on only process events and all signals, here. when a malicious calendar invite is delivered and the reminder notification is triggered : - svchost. exe spawns a child process rundll32. exe - rundll32. exe c : \ windows \ system32 \ davclnt. dl…"
T1187Forced Authentication
31%
"issues with other applications and is recommended as only a temporary mitigation. additionally, you can block tcp 445 / smb outbound traffic from the edge of your network or local firewalls, so ntlm authentication cannot reach external file shares. this is another suggestion to b…"

Summary

Huntress is tracking CVE-2023-23397, a 0-day that impacts Microsoft Outlook and requires no user interaction to expose user credential hashes.