Query Details
CVE 2023 36884 Url Marker
Query
# CVE-2023-36884 URL marker ### Description Following relevant puplic reports of analysis with regards to CVE-2023-36884 exploitation, the following query can help hunt a unique URL marker identified. ### References - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit - https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884 ### Microsoft 365 Defender & Microsoft Sentinel ``` DeviceNetworkEvents | where ActionType == "HttpConnectionInspected" | extend json = todynamic(AdditionalFields) | extend method = tostring(json.method), uri = tostring(json.uri), direction = tostring(json.direction) | where method == "GET" | where uri contains "/MSHTML_C7/" | where direction == 'Out' ``` ### MITRE ATT&CK Mapping - Tactic: Command and Control - Technique ID: T1071.001 - [Application Layer Protocol: Web Protocols](https://attack.mitre.org/techniques/T1071/001/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 18/07/2023 | Initial publish |
Explanation
This query is used to hunt for a unique URL marker associated with the CVE-2023-36884 vulnerability. It filters network events to find HTTP connections that have been inspected and have a GET method, contain "/MSHTML_C7/" in the URI, and have an outbound direction. The query is relevant for Microsoft 365 Defender and Microsoft Sentinel. The MITRE ATT&CK mapping shows that this query is related to the Command and Control tactic and Technique ID T1071.001.
Details
Michalis Michalos
Released: August 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,HttpConnectionInspected,AdditionalFields,method,uri,direction,GET,/MSHTML_C7/,Out
Operators
whereextendtostringcontains