Query Details

CVE 2023 36884 Url Marker

Query

DeviceNetworkEvents 
| where ActionType == "HttpConnectionInspected"
| extend json = todynamic(AdditionalFields)
| extend method = tostring(json.method), uri = tostring(json.uri), direction = tostring(json.direction)
| where method == "GET"
| where uri contains "/MSHTML_C7/"
| where direction == 'Out'

About this query

CVE-2023-36884 URL marker

Description

Following relevant puplic reports of analysis with regards to CVE-2023-36884 exploitation, the following query can help hunt a unique URL marker identified.

References

Microsoft 365 Defender & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.018/07/2023Initial publish

Explanation

This query is used to hunt for a unique URL marker associated with the CVE-2023-36884 vulnerability. It filters network events to find HTTP connections that have been inspected and have a GET method, contain "/MSHTML_C7/" in the URI, and have an outbound direction. The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. The MITRE ATT&CK mapping shows that this query is related to the Command and Control tactic and Technique ID T1071.001.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsActionTypeHttpConnectionInspectedAdditionalFieldsmethoduridirectionGET/MSHTML_C7/Out

Operators

whereextendtostringcontains

MITRE Techniques

Actions

GitHub