Query Details
CVE 2023 23397 Detection
Query
//CVE-2023-23397 Detection DeviceProcessEvents | where InitiatingProcessFileName == "svchost.exe" | where FileName == "rundll32.exe" and ProcessCommandLine contains "davclnt.dll" and ProcessCommandLine contains "DavSetCookie" | where ProcessCommandLine !contains "http://10." | where ProcessCommandLine !contains "http://192.168." | extend url = split(ProcessCommandLine, "http://")[1] | extend domain = split(url, "/")[0] | where domain contains "." and domain !endswith ".local" | summarize count() by tostring(domain)
Explanation
This query is looking for instances of a specific vulnerability (CVE-2023-23397) being exploited. It filters for events where the initiating process is "svchost.exe" and the file being executed is "rundll32.exe" with specific command line arguments related to "davclnt.dll" and "DavSetCookie". It then filters out any command lines containing specific IP addresses. The query then extracts the domain from the command line and filters for domains that contain a period (indicating a valid domain) but do not end with ".local". Finally, it counts the occurrences of each domain and summarizes the results.
Details
Rod Trent
Released: March 21, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,InitiatingProcessFileName,svchost.exe,FileName,rundll32.exe,ProcessCommandLine,davclnt.dll,DavSetCookie,http://10.,http://192.168.,url,domain,.local
Operators
DeviceProcessEventswhere==andcontainscontainsandcontains!contains!containsextendsplitextendsplitwherecontains!endswithsummarizecount()bytostring