CVE 2023 36884 Url Marker
Query
DeviceNetworkEvents
| where ActionType == "HttpConnectionInspected"
| extend json = todynamic(AdditionalFields)
| extend method = tostring(json.method), uri = tostring(json.uri), direction = tostring(json.direction)
| where method == "GET"
| where uri contains "/MSHTML_C7/"
| where direction == 'Out'About this query
CVE-2023-36884 URL marker
Description
Following relevant puplic reports of analysis with regards to CVE-2023-36884 exploitation, the following query can help hunt a unique URL marker identified.
References
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
- https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Command and Control
- Technique ID: T1071.001
- Application Layer Protocol: Web Protocols
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 18/07/2023 | Initial publish |
Explanation
This query is used to hunt for a unique URL marker associated with the CVE-2023-36884 vulnerability. It filters network events to find HTTP connections that have been inspected and have a GET method, contain "/MSHTML_C7/" in the URI, and have an outbound direction. The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. The MITRE ATT&CK mapping shows that this query is related to the Command and Control tactic and Technique ID T1071.001.
