{"id":126855,"date":"2023-03-24T11:30:00","date_gmt":"2023-03-24T18:30:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=126855"},"modified":"2024-07-03T07:48:16","modified_gmt":"2024-07-03T14:48:16","slug":"guidance-for-investigating-attacks-using-cve-2023-23397","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/","title":{"rendered":"Guidance for investigating attacks using CVE-2023-23397"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote blockquote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>February 15, 2024 update<\/strong> &#8211; On January 20, 2024, the US government conducted a disruption operation against infrastructure used by a threat actor we track as <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/tag\/forest-blizzard-strontium\/?sort-by=newest-oldest&amp;date=any\">Forest Blizzard (STRONTIUM)<\/a>, a Russian state-sponsored threat actor, as detailed here: <a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian\">https:\/\/www.justice.gov\/opa\/pr\/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian<\/a><\/p>\n<\/blockquote>\n\n\n\n<p><\/p>\n\n\n\n<blockquote class=\"wp-block-quote blockquote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>December 4, 2023 update<\/strong> &#8211; Microsoft has identified a nation-state activity group tracked as <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/tag\/forest-blizzard-strontium\/?sort-by=newest-oldest&amp;date=any\">Forest Blizzard (STRONTIUM)<\/a>, based in Russia, actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers. The Polish Cyber Command (DKWOC) partnered with Microsoft to take action against Forest Blizzard actors, and to identify and mitigate techniques used by the actor: <a href=\"https:\/\/www.wojsko-polskie.pl\/woc\/articles\/aktualnosci-w\/detecting-malicious-activity-against-microsoft-exchange-servers\/\">https:\/\/www.wojsko-polskie.pl\/woc\/articles\/aktualnosci-w\/detecting-malicious-activity-against-microsoft-exchange-servers\/<\/a>. Users should ensure Microsoft Outlook is patched and kept up to date to mitigate this threat. Microsoft Defender XDR detects the exploitation and known post-compromise activity of CVE-2023-23397. The only updates to the original blog below are in the \u201cWho is Forest Blizzard&#8221; section, reflecting our updated attribution, and added links to our product Threat Intelligence reports.<\/p>\n\n\n\n<p><strong>Who is Forest Blizzard?<\/strong><\/p>\n\n\n\n<p>The group Microsoft tracks as <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/tag\/forest-blizzard-strontium\/?sort-by=newest-oldest&amp;date=any\">Forest Blizzard (STRONTIUM)<\/a> is a Russian state-sponsored threat actor that primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. <a href=\"https:\/\/media.defense.gov\/2021\/Jul\/01\/2002753896\/-1\/-1\/1\/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF\">The United States and United Kingdom governments<\/a> have linked Forest Blizzard to Unit 26165 of the Russian Federation\u2019s military intelligence agency: Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).<\/p>\n\n\n\n<p>Forest Blizzard commonly seeks and employs publicly available exploits in addition to CVE-2023-23397. Beginning in at least the first half of September 2023, Forest Blizzard actors leveraged the WinRAR <a href=\"https:\/\/security.microsoft.com\/vulnerabilities\/vulnerability\/CVE-2023-38831\/overview\">CVE 2023-38831<\/a> vulnerability to adapt spear-phishing operations against chiefly Ukrainian government targets. Other known exploits leveraged by Forest Blizzard include <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-40444\">CVE-2021-40444<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-42292\">CVE-2021-42292<\/a>, <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-november-2021-exchange-server-security-updates\/ba-p\/2933169\">CVE-2021-42321<\/a>, <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-may-2021-exchange-server-security-updates\/ba-p\/2335209\">CVE-2021-34473<\/a>, <a href=\"https:\/\/support.microsoft.com\/topic\/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-december-8-2020-cd820b6e-9b32-e3c3-d1a3-3c21a1278484\">CVE-2020-17144<\/a>, and <a href=\"https:\/\/support.microsoft.com\/topic\/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-february-11-2020-94ac1ebb-fb8a-b536-9240-a1cab0fd1c9f\">CVE-2020-0688<\/a>.<\/p>\n\n\n\n<p>Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities. Microsoft continually updates detections and protections against this threat group based on our telemetry and research. Other security researchers have used GRU Unit 26165, <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/apt28-a-window-into-russias-cyber-espionage-operations\">APT28<\/a>, <a href=\"https:\/\/www.eset.com\/afr\/about\/newsroom\/press-releases-afr\/research\/dissection-of-sednit-espionage-group-1\/\">Sednit<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-sofacy-groups-parallel-attacks\/\">Sofacy<\/a>, and <a href=\"https:\/\/www.crowdstrike.com\/blog\/who-is-fancy-bear\/\">Fancy Bear<\/a> to refer to groups with similar or related activities.<\/p>\n\n\n\n<p><\/p>\n<\/blockquote>\n\n\n\n<p><\/p>\n\n\n\n<p>This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting <a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/03\/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability\/\">CVE-2023-23397<\/a>. A successful exploit of this vulnerability can result in unauthorized access to an organization\u2019s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process.<\/p>\n\n\n\n<p>This document covers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An overview of the vulnerability<\/li>\n\n\n\n<li>Exploit scenarios<\/li>\n\n\n\n<li>Post-exploit activities observed in attacks<\/li>\n\n\n\n<li>Techniques for determining if an organization was targeted or compromised via this vulnerability<\/li>\n\n\n\n<li>Mitigations available to protect your environment<\/li>\n<\/ul>\n\n\n\n<p>Exploitation of CVE-2023-23397 leaves very few forensic artifacts to discover in traditional endpoint forensic analysis. This blog describes how Microsoft Incident Response (previously known as Microsoft Detection and Response Team &#8211; DART) was able to detect the abuse of CVE-2023-23397 and how organizations can identify historical and present evidence of compromise through this vulnerability.<\/p>\n\n\n\n<p>This vulnerability triggers a Net-NTLMv2 hash leak. Abuse of the leaked Net-NTLMv2 hash is post-exploitation activity. In this blog, we emphasize specific observed post-exploitation activity that targeted Microsoft Exchange Server. However, there are numerous ways that a leaked Net-NTLMv2 hash could be used by a threat actor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"understanding-the-cve-2023-23397-vulnerability\">Understanding the CVE-2023-23397 vulnerability<\/h2>\n\n\n\n<p>CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows. It is exploited when a threat actor delivers a specially crafted message to a user. This message includes the <em>PidLidReminderFileParameter<\/em> extended Messaging Application Programming Interface (MAPI) property, which must be set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server message block (SMB)\/transmission control protocol (TCP) port 445).<\/p>\n\n\n\n<p>In exploitation of CVE-2023-23397, threat actors can specify the value for the <em>PidLidReminderFileParameter<\/em> in specially crafted messages to trigger a Net-NTLMv2 hash leak to threat actor-controlled servers.<\/p>\n\n\n\n<p>The user does not need to interact with the message: if Outlook on Windows is open when the reminder is triggered, it allows exploitation. The connection to the remote SMB server sends the user\u2019s Net-NTLMv2 hash in a negotiation message, which the threat actor can either a) relay for authentication against other systems that support NTLMv2 authentication or b) perform offline cracking to extract the password. As these are NTLMv2 hashes, they cannot be leveraged as part of a Pass-the-Hash technique. All versions of Microsoft Outlook on Windows are impacted. Outlook for Android, iOS, Mac, and users who use Outlook on the web (OWA) without using the Outlook client are not affected.<\/p>\n\n\n\n<p>Microsoft has traced evidence of potential exploitation of this vulnerability as early as April 2022.<\/p>\n\n\n\n<p>This technique leverages the Transport Neutral Encapsulation Format (TNEF). TNEF is a Microsoft-specific format for transmitting formatted email messages. A TNEF message contains a plaintext version of the message and an attachment that packages the original formatted version of the message. Typically, this attachment is named <em>Winmail.dat<\/em>. The <em>Winmail.dat<\/em> attachment includes formatting, attachments, and Outlook-specific features such as meeting requests including extended MAPI Properties. Details about TNEF can be found here:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/office\/client-developer\/outlook\/mapi\/transport-neutral-encapsulation-format-tnef\">https:\/\/learn.microsoft.com\/office\/client-developer\/outlook\/mapi\/transport-neutral-encapsulation-format-tnef<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/exchange\/mail-flow\/content-conversion\/content-conversion\">https:\/\/learn.microsoft.com\/exchange\/mail-flow\/content-conversion\/content-conversion<\/a>.<\/li>\n<\/ul>\n\n\n\n<p>Outlook on Windows is designed to enable a user to specify a custom sound file associated with a reminder.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"526\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-1-setting-a-custom-sound-to-play-when-a-reminder-is-triggered-in-outlook-on-windows-client-1024x526.png\" alt=\"Screenshots of Outlook on Windows showing how to set a custom sound that plays when a reminder is triggered \" class=\"wp-image-126857\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-1-setting-a-custom-sound-to-play-when-a-reminder-is-triggered-in-outlook-on-windows-client-1024x526.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-1-setting-a-custom-sound-to-play-when-a-reminder-is-triggered-in-outlook-on-windows-client-300x154.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-1-setting-a-custom-sound-to-play-when-a-reminder-is-triggered-in-outlook-on-windows-client-768x395.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-1-setting-a-custom-sound-to-play-when-a-reminder-is-triggered-in-outlook-on-windows-client.png 1080w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 1. Setting a custom sound to play when a reminder is triggered in Outlook on Windows client<\/figcaption><\/figure>\n\n\n\n<p>Modifying this value sets the <em>PidLidReminderFileParameter<\/em> extended MAPI property, which is stored as a property associated with the specific mail object. A tool such as MFCMAPI (see <a href=\"https:\/\/github.com\/stephenegriffin\/mfcmapi\">https:\/\/github.com\/stephenegriffin\/mfcmapi<\/a>) can be used to view extended MAPI properties associated with an object. In the following screenshot, the value of the <em>PidLidReminderFileParameter<\/em> is shown set to <em>reminder.wav<\/em>, the <em>PidLidReminderSet<\/em> is \u201cTrue\u201d, and the reminder times are set to occur in the past.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"394\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-2-resulting-extended-mapi-properties-and-their-values-as-a-result-of-customizing-the-sound-to-play-when-reminders-are-triggered-as-seen-using-mfcmapi.png\" alt=\"Screenshot of message MAPI properties and their values\" class=\"wp-image-126858\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-2-resulting-extended-mapi-properties-and-their-values-as-a-result-of-customizing-the-sound-to-play-when-reminders-are-triggered-as-seen-using-mfcmapi.png 936w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-2-resulting-extended-mapi-properties-and-their-values-as-a-result-of-customizing-the-sound-to-play-when-reminders-are-triggered-as-seen-using-mfcmapi-300x126.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-2-resulting-extended-mapi-properties-and-their-values-as-a-result-of-customizing-the-sound-to-play-when-reminders-are-triggered-as-seen-using-mfcmapi-768x323.png 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\">Figure 2. Resulting extended MAPI Properties and their values as a result of customizing the sound to play when reminders are triggered as seen using MFCMAPI.<\/figcaption><\/figure>\n\n\n\n<p>To further deceive users, threat actors may also set the <em>PidLidReminderTime<\/em> property to remain dormant in the mailbox until a future date.<\/p>\n\n\n\n<p>The affected Net-NTLMv2 hash belongs to the user signed in to the Windows device where the Outlook client application is running, regardless of the identity that received the malicious message. If the user does not dismiss the reminder\/task Outlook alert or the reminder is recurring (i.e., fires multiple times), the user\u2019s Net-NTLMv2 hash can be leaked multiple times.<\/p>\n\n\n\n<p>Note: Interaction based on the WebDAV protocol is not at risk of leaking credentials to external IP addresses via this exploit technique. While the threat actor infrastructure might request Net-NTLMv2 authentication, Windows will honor the defined internet security zones and will not send Net-NTLMv2 hashes. In other words, an external threat actor can only exploit this vulnerability via the SMB protocol. If a target device can communicate to external threat actor infrastructure over port 445 (SMB), Net-NTLMv2 hashes might be sent; however, if this communication via SMB is not possible, Windows will fall back to leveraging WebDAV. WebDAV will set up a connection with the threat actor infrastructure, but Net-NTLMv2 hashes will not be sent.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"observed-post-exploitation-actions\">Observed post-exploitation actions<\/h3>\n\n\n\n<p>In a recent engagement, Microsoft Incident Response has observed additional post-exploitation activities following exploitation of CVE-2023-23397. The presence of artifacts associated with these post-exploitation activities can strongly suggest compromise of user accounts. These post-exploitation activities include:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"initial-access-authentication-bypass\">Initial access (authentication bypass):<\/h4>\n\n\n\n<p>Using a Net-NTLMv2 Relay attack against Exchange Servers (<strong>NOTE: <\/strong>Azure Active Directory, the default authentication service for Exchange Online, is not directly susceptible to a Net-NTLMv2 relay attack. However, it is possible that a federated identity provider may be susceptible).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"credential-access-lateral-movement\">Credential access\/lateral movement:<\/h4>\n\n\n\n<p>Using the Exchange Web Services (EWS) API to send additional messages with the malicious value of the <em>PidLidReminderFileParameter<\/em> extended MAPI property to users inside and external to the organization.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"discovery-persistence\">Discovery\/persistence:<\/h4>\n\n\n\n<p>Using the EWS API to enumerate folders in a compromised user\u2019s mailbox and changing the mailbox folder permissions using the <em>UpdateFolder<\/em> API so that any authenticated user can access all mailbox folder content with \u201cowner\u201d privileges. This technique established additional persistent access to contents of user\u2019s mailboxes even if a password was reset or otherwise remediated.<\/p>\n\n\n\n<p>The following diagrams show initial access using a Net-NTLMv2 Relay attack, persistence via modifying mailbox folder permissions, and lateral movement by sending additional malicious messages.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"420\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE3-1024x420.png\" alt=\"Diagram showing exploitation of the vulnerability\" class=\"wp-image-126859\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE3-1024x420.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE3-300x123.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE3-768x315.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE3.png 1170w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 3. Observed threat actor exploitation of CVE-2023-23397 to gain unauthorized access to Exchange Server and modify mailbox folder permissions for persistent access to the mailbox.<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE4-1024x486.png\" alt=\"Diagram showing threat actor extending access to a compromised environment\" class=\"wp-image-126860\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE4-1024x486.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE4-300x142.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE4-768x364.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/FIGURE4.png 1170w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 4. Observed threat actor activity to extend their access in a compromised environment by using a compromised e-mail account to target other members of the same organization.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"threat-hunting-guidance-evidence-of-targeting\">Threat hunting guidance: Evidence of targeting<\/h2>\n\n\n\n<p>Organizations should use an in-depth and comprehensive threat hunting strategy to identify potential credential compromise through CVE-2023-23397. While running the Exchange scanning script provided by Microsoft is an effective first step, this script does not provide visibility into malicious messages for all scenarios.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Outlook allows users to open multiple mailboxes at the same time. If a user has configured their Outlook to open mailboxes from multiple e-mail services, a malicious message received through one of those other services will still trigger the vulnerability but that message is not in the scanned mailboxes. (Note: Independent of what mailbox or the identity used to access the mailbox, if a malicious message is received, the credential that will leak belongs to the identity currently signed in to the Windows device.)<\/li>\n\n\n\n<li>Users may move messages to a local file (PST). Local e-mail stores are not scanned when scanning the Exchange environment. Archived messages may show evidence of a prior compromise. If the local files are open in Outlook, messages can still trigger the vulnerability.<\/li>\n<\/ul>\n\n\n\n<p>If messages have been deleted from Exchange (some organizations may have a policy limiting data retention), then the messages will no longer be available in Exchange.<\/p>\n\n\n\n<p>If no suspicious or malicious values are identified through the Exchange scanning script, organizations should also hunt for known threat actor indicators of compromise (IOCs) related to the exploitation of this vulnerability.<\/p>\n\n\n\n<p>For example, if IP addresses and URIs are extracted from the <em>PidLidReminderFileParameter<\/em> values, incident responders should review all available security telemetry for presence of these newly identified indicators. Data sources can include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Firewall logs<\/li>\n\n\n\n<li>Proxy logs<\/li>\n\n\n\n<li>Azure Active Directory sign-in logs for users of Exchange Online<\/li>\n\n\n\n<li>IIS Logs for Exchange Server<\/li>\n\n\n\n<li>VPN logs<\/li>\n\n\n\n<li>RDP Gateway logs<\/li>\n\n\n\n<li>Endpoint telemetry from an endpoint detection and response (EDR) solution if available<\/li>\n\n\n\n<li>Forensic endpoint data such as windows event logs from end user systems<\/li>\n<\/ul>\n\n\n\n<p>For example, using advanced hunting in Microsoft Defender for Endpoint, multiple tables can be queried simultaneously to uncover activities related to IP address indicators:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/Search for activity around IoAs\nlet IoCs = dynamic(&#91;\"&lt;IP Address 1&gt;\",\"&lt;IP Address 2&gt;\"]);\nlet range = ago(30d);\nunion (DeviceProcessEvents | where Timestamp &gt; range | where ProcessCommandLine has_any (IoCs)),\n     (DeviceNetworkEvents | where Timestamp &gt; range | where RemoteIP in (IoCs) or LocalIP in (IoCs)),\n     (DeviceLogonEvents | where Timestamp &gt; range | where RemoteIP in (IoCs))\n| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)\n| project-reorder Timestamp, DeviceName, ActionType, LocalIP,RemoteIP, RemotePort,SignatureName,ProcessCommandLine\n| sort by Timestamp desc\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hunting-strategically\">Hunting strategically<\/h3>\n\n\n\n<p>There are several approaches to identifying whether your organization was targeted, including the following (ordered from the most high-fidelity to more anomaly-based approach):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review suspicious messages, calendar items, or tasks with reminders that were reported by users<\/li>\n\n\n\n<li>Examine network logging and endpoint logging for evidence of known atomic indicators<\/li>\n\n\n\n<li>Scan Exchange for delivered messages with the <em>PidLidReminderFileParameter<\/em> set<\/li>\n\n\n\n<li>Hunt for anomalous behaviors based on:<ul><li>NTLM authentication involving untrusted or external resources. This can be observed in Exchange Server logging, Microsoft Defender for Identity, and Microsoft Defender for Endpoint telemetry.<\/li><\/ul><ul><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/WebDAV\">WebDAV<\/a> connection attempts through process execution events.<\/li><\/ul><ul><li>SMBClient event log entries.<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>Firewall logs for suspicious outbound SMB connections.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"review-suspicious-messages-calendar-items-or-tasks-reported-by-users\">Review suspicious messages, calendar items, or tasks reported by users<\/h4>\n\n\n\n<p>Users in targeted organizations will have received messages with the malicious value of the <em>PidLidReminderFileParameter<\/em> value set. In some cases, users may have reported these suspicious messages, tasks, or calendar invitations to their security team. A high-level investigation of messages potentially exploiting CVE-2023-23397 may not reveal any overt malicious elements, as embedding malicious URLs or other content in the message body itself is not necessary. A deeper analysis of the message\u2019s extended MAPI properties (specifically, the <em>PidLidReminderFileParameter<\/em> value) is required to confirm if it is malicious.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"scan-for-messages-with-malicious-properties\">Scan for messages with malicious properties<\/h4>\n\n\n\n<p>Organizations should search their Exchange environment for messages where the <em>PidLidReminderFileParameter<\/em> value is set. Microsoft has provided a script to enable organizations perform this search here, including instructions: <a href=\"https:\/\/microsoft.github.io\/CSS-Exchange\/Security\/CVE-2023-23397\/\">https:\/\/microsoft.github.io\/CSS-Exchange\/Security\/CVE-2023-23397\/<\/a>.<\/p>\n\n\n\n<p>The script produces a CSV file enumerating each message that has the <em>PidLidReminderFileParameter<\/em> property set, and will report on targets that are local on the computer, internal to the network, or on the internet. Any messages identified where this property references a server in the \u201cInternetZone\u201d should be considered malicious. References to intranet servers should also be carefully analyzed. Figure 5 depicts a sample output from this script.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"100\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-5-sample-output-for-pidlidreminderfileparameter-detection-script.png\" alt=\"Screenshot of sample output of the detection script\" class=\"wp-image-126861\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-5-sample-output-for-pidlidreminderfileparameter-detection-script.png 960w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-5-sample-output-for-pidlidreminderfileparameter-detection-script-300x31.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-5-sample-output-for-pidlidreminderfileparameter-detection-script-768x80.png 768w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><figcaption class=\"wp-element-caption\">Figure 5. Sample output for PidLidReminderFileParameter detection script.<\/figcaption><\/figure>\n\n\n\n<p>Customers with a large number of mailboxes in Exchange may consider customizing the script logic strategically, by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Initially targeting high-value users by specifying a list of mailboxes of interest.<\/li>\n\n\n\n<li>Timeboxing: As the first known exploitation of this vulnerability was in April 2022 performance can be improved by prioritizing a search from 2022 onwards. It is still recommended to search further historically as well, however with lower priority, as it is possible this exploit was used prior to April 2022.<a><\/a><a><\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Running multiple concurrent scans across different user mailbox sets by using batching (see script documentation).<\/li>\n<\/ul>\n\n\n\n<p>If any suspicious or malicious messages are identified via this script, organizations should further triage their environment, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>examination of the targeted users\u2019 logon behaviors<\/li>\n\n\n\n<li>hunting for further presence of any malicious domains or IP addresses in available network and endpoint logging.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"artifacts-on-endpoints\">Artifacts on endpoints<\/h4>\n\n\n\n<p>Organizations should review SMBClient event logging, Process Creation events, and other available network telemetry to identify potential exploitation via CVE-2023-23397. To determine whether any such exploitation led to a threat actor gaining unauthorized access to the environment, analysis of authentication events, network perimeter logging, and Exchange Server logging (if Exchange Server is used by the organization) will be instrumental.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"microsoft-windows-smbclient-connectivity-event-logs\">Microsoft-Windows-SMBClient\/Connectivity event logs<\/h5>\n\n\n\n<p>This event logging channel records server errors and warnings for both SMB and WebDAV connections, and provides a source to identify potential compromise through CVE-2023-23397, as it may reveal failed outbound connection attempts to threat actor-controlled infrastructure.<\/p>\n\n\n\n<p>The ServerName field in EventIds 30800, 30803, 30806, 30804, and 31001 should be monitored for non-trusted servers, as illustrated in Figure 6. &nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"917\" height=\"685\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-6-sample-event-where-smb-traffic-was-blocked-in-the-firewall.png\" alt=\"Screenshot of a sample event showing SMB traffic blocked in the firewall\" class=\"wp-image-126862\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-6-sample-event-where-smb-traffic-was-blocked-in-the-firewall.png 917w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-6-sample-event-where-smb-traffic-was-blocked-in-the-firewall-300x224.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-6-sample-event-where-smb-traffic-was-blocked-in-the-firewall-768x574.png 768w\" sizes=\"(max-width: 917px) 100vw, 917px\" \/><figcaption class=\"wp-element-caption\">Figure 6: Sample event where SMB traffic was blocked in the firewall.<\/figcaption><\/figure>\n\n\n\n<p>It is critical to note that the presence of these events cannot be used to confirm whether credentials were leaked, and can only be used as evidence that an outbound connection attempt was made by the device but failed (due to a protocol or network error). Microsoft Incident Response observed during an engagement that a device affected by CVE-2023-23397 attempted to connect multiple times to threat actor infrastructure, failing occasionally and producing these event log entries, but otherwise successfully leaking credentials to the threat actor.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"webdav-process-creation-events\">WebDAV Process Creation events<\/h5>\n\n\n\n<p>If SMB traffic to the internet is blocked by your organization or otherwise fails, Windows will fall back to using WebDAV to attempt to complete the connection. This behavior, paired with CVE-2023-23397 execution, results in a potentially unique Process Creation event and command line parameters that organizations can hunt in endpoint detection and response (EDR) telemetry or other endpoint logging (such as Sysmon logs, as depicted in Figure 7):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Parent process command line: <em>C:\\Windows\\system32\\svchost.exe -k LocalService -p -s WebClient<\/em><\/li>\n\n\n\n<li>Child process command line: <em>rundll32.exe C:\\Windows\\system32\\davclnt.dll,DavSetCookie &lt;IP Address&gt; hxxp:\/\/&lt;Threat actor IP&gt;\/folder\/sound.wav<\/em><\/li>\n<\/ul>\n\n\n\n<p>It is possible that the filesystem URL may not have a traditional .wav file extension.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"917\" height=\"685\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-7-sample-webdav-process-create-event.png\" alt=\"Screenshot of WebDAV process create event\" class=\"wp-image-126863\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-7-sample-webdav-process-create-event.png 917w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-7-sample-webdav-process-create-event-300x224.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-7-sample-webdav-process-create-event-768x574.png 768w\" sizes=\"(max-width: 917px) 100vw, 917px\" \/><figcaption class=\"wp-element-caption\">Figure 7: Sample WebDAV process create event<\/figcaption><\/figure>\n\n\n\n<p>It is critical to note that the presence of this process tree in your environment cannot be used to confirm whether credentials were leaked. It can only be used as evidence that a message exploiting CVE-2023-23397 was <strong>delivered<\/strong>, <strong>triggered an attempted outbound SMB connection<\/strong>\/credential leak to threat actor infrastructure, <strong>but failed in the given instance<\/strong> as credentials cannot be leaked through WebDAV with this vulnerability. If this failure was the result of a transient network issue (rather than SMB being blocked deliberately and systemically), it is still possible that credentials may have been leaked.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"exchange-server-logs\">Exchange Server logs<\/h4>\n\n\n\n<p>For organizations using Exchange Server, there are several log sources that can provide value in hunting for indicators of attack or compromise through CVE-2023-23397. These log sources may potentially reveal unauthorized access to Exchange Server via a Net-NTLMv2 Relay attack, as well as possible post-exploitation activities. These logs do not provide value in determining whether a NTLMv2 hash was leaked, however.<\/p>\n\n\n\n<p>Microsoft provides this tool to enable organizations to collect relevant Exchange Server logs: <a href=\"https:\/\/microsoft.github.io\/CSS-Exchange\/Diagnostics\/ExchangeLogCollector\/\">https:\/\/microsoft.github.io\/CSS-Exchange\/Diagnostics\/ExchangeLogCollector\/<\/a>.<\/p>\n\n\n\n<p>Microsoft Incident Response recommends collecting all logs with the <em>-AllPossibleLogs<\/em> command line flag; however, a more minimal collection can be obtained using the following flags:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>-EWSLogs<\/em><\/li>\n\n\n\n<li><em>-IISLogs<\/em><\/li>\n\n\n\n<li><em>-PowerShellLogs<\/em><\/li>\n\n\n\n<li><em>-ServerInformation<\/em><\/li>\n\n\n\n<li><em>-ExchangeServerInformation<\/em><\/li>\n\n\n\n<li><em>-MessageTrackingLogs<\/em><\/li>\n\n\n\n<li><em>-OWALogs<\/em><\/li>\n<\/ul>\n\n\n\n<p>Collected logs can be reviewed by <a href=\"https:\/\/learn.microsoft.com\/azure\/data-explorer\/ingest-data-overview\">ingesting them into Azure Data Explorer<\/a>, Log Analytics in Azure Monitor, or another SIEM or log parsing utility (such as <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/introducing-log-parser-studio\/ba-p\/601131\">Log Parser Studio<\/a>).<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"exchange-iis-logs\">Exchange IIS logs<\/h5>\n\n\n\n<p>Analysis of IIS logs from Exchange Server (or, if the server is behind a reverse proxy, the IIS logs from the proxy server) can provide insight into potential threat actor behavior.<\/p>\n\n\n\n<p><strong>NOTE:<\/strong> If Exchange Server is protected by a reverse proxy, client IP values (cIP) in logging will only show the IP address of the proxy server. In this case, access to logs from the proxy is critical to determine if connections originated from untrusted IP addresses.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"reverse-proxy-logs\">Reverse Proxy Logs<\/h5>\n\n\n\n<p>If a reverse proxy is implemented and configured to register headers, such as those that include authentication methods and Net-NTLMv2 negotiations, it is possible to identify Net-NTLMv2 Relay behavior. Microsoft Incident Response was able to leverage these logs in a recent engagement: certain users appeared to authenticate from their appropriate and expected workstations, but the authentications originated from IP addresses associated with threat actor infrastructure.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"ewslogs\">EWSLogs<\/h5>\n\n\n\n<p>Exchange Web Services (EWS) logs include the <em>AuthenticationType<\/em>. If a Net-NTLMv2 Relay attack was leveraged against an EWS Endpoint, it can often be seen in these logs. Strategies to hunt for anomalies in these logs include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtering EWSLogs by <em>AuthenticationType<\/em> for NTLM<\/li>\n\n\n\n<li>Grouping by <em>ClientIpAddress<\/em> (NOTE: The external client IP address may need to be parsed from the field, as it can contain the results of proxying the ClientIP to the Exchange Server backend component. Fields will be in the form <em>&lt;ClientIP&gt;:&lt;PortNumber&gt; &lt;ProxiedIPAddress&gt;<\/em>).<\/li>\n\n\n\n<li>Group by the <em>AuthenticatedUser<\/em><\/li>\n<\/ul>\n\n\n\n<p>Any authentications using NTLMv2 originating from unknown or untrusted IP addresses should be further examined. If a single external IP address is associated with multiple users\u2019 authentications, and the IP address is not consistent with those users\u2019 typical patterns of behavior (based on factors such as geolocation, hosting provider, or User Agent string), events associated with such an IP should be investigated further.<\/p>\n\n\n\n<p>If a threat actor changes mailbox permissions or mailbox folder permissions as part of their post-exploitation behaviors, <em>SoapActions<\/em> including \u201cGetFolder\u201d, \u201cUpdateFolder\u201d, and \u201cFindFolder\u201d may be observed for the combination of the authenticated user and IP address.<\/p>\n\n\n\n<p>If a threat actor attempts to access email for a compromised user, <em>SoapActions<\/em> including &#8220;ResolveNames&#8221;,&#8221;GetDelegate&#8221;,&#8221;GetFolder&#8221;,&#8221;FindFolder&#8221;,&#8221;FindItem&#8221;, and &#8220;GetItem&#8221; may be observed for the combination of the authenticated user and IP address.<\/p>\n\n\n\n<p>The following Kusto Query Language (KQL) query can assist with parsing and summarizing EWS logging for the purposes described above, if the relevant logs have been ingested into Azure Data Explorer.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>EWSLogging\n| where AuthenticationType == 'NTLM'\n| extend IpAddress = tostring(split(ClientIpAddress,\":\")&#91;0])\n| summarize count(), min(&#91;'DateTime']),max(&#91;'DateTime']), \n    make_set(SoapAction), make_set(UserAgent) by AuthenticatedUser, IpAddress<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"exchange-http-proxy-ews-logs\">Exchange HTTP Proxy EWS Logs<\/h5>\n\n\n\n<p>HTTP Proxy EWS logs can be useful to identify the details of NTLMv2 authentications. The user name, workstation name, and domain name can be extracted from those values using the techniques described in &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/community.pulsesecure.net\/t5\/Pulse-Secure-vADC\/HowTo-Decode-and-log-the-username-in-an-NTLM-connection\/ta-p\/28869\">https:\/\/community.pulsesecure.net\/t5\/Pulse-Secure-vADC\/HowTo-Decode-and-log-the-username-in-an-NTLM-connection\/ta-p\/28869<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/davenport.sourceforge.net\/ntlm.html\">https:\/\/davenport.sourceforge.net\/ntlm.html<\/a><\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"exchange-server-message-tracking-logs\">Exchange Server Message Tracking Logs<\/h5>\n\n\n\n<p>Exchange Server Message Tracking Logs are useful to identify messages with certain subjects or from certain sender IP address values. Refer to the following Microsoft Learn pages for more details:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/exchange\/mail-flow\/transport-logs\/transport-logs?view=exchserver-2019\">https:\/\/learn.microsoft.com\/exchange\/mail-flow\/transport-logs\/transport-logs?view=exchserver-2019<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/exchange\/monitoring\/trace-an-email-message\/run-a-message-trace-and-view-results\">https:\/\/learn.microsoft.com\/exchange\/monitoring\/trace-an-email-message\/run-a-message-trace-and-view-results<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"additional-indicators-of-compromise\">Additional indicators of compromise<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"potential-registry-key-modification\">Potential registry key modification<\/h4>\n\n\n\n<p>Microsoft Incident Response identified a registry key that can indicate that a reminder was triggered for a Note or Task item. This registry key holds certain properties (e.g., location and size) of the UI window that is created when the reminder triggered. If a user has not used the reminder functionality within Tasks or Notes, these registry keys will not exist. Figure 8 depicts the Task key as viewed in RegEdit:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>HKCU\\Software\\Microsoft\\Office\\&lt;VERSION OF OUTLOOK&gt;\\Outlook\\Tasks<\/em><\/li>\n\n\n\n<li><em>HKCU\\Software\\Microsoft\\Office\\&lt;VERSION OF OUTLOOK&gt;\\Outlook\\Notes<\/em><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"875\" height=\"226\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-8-example-registry-key-for-a-task-item.png\" alt=\"Screenshot of registry key for a task \" class=\"wp-image-126864\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-8-example-registry-key-for-a-task-item.png 875w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-8-example-registry-key-for-a-task-item-300x77.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Figure-8-example-registry-key-for-a-task-item-768x198.png 768w\" sizes=\"(max-width: 875px) 100vw, 875px\" \/><figcaption class=\"wp-element-caption\">Figure 8: Example registry key for a Task item.<\/figcaption><\/figure>\n\n\n\n<p>The presence of these keys provides evidence that a user has received a reminder for a Task or Note. If the presence of this registry key is identified, and appears to be anomalistic for your organization, threat hunters should examine the user\u2019s mailbox as well as network\/endpoint telemetry for further evidence of compromise using the techniques described in this blog, especially by performing temporal analysis around the <em>LastModified<\/em> timestamp of the registry keys.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"hunting-for-outbound-smb-connections\">Hunting for outbound SMB connections<\/h4>\n\n\n\n<p>Network perimeter telemetry and\/or EDR data can be investigated for SMB connections involving external IP addresses as part of a larger threat hunting strategy.<\/p>\n\n\n\n<p>The following query can be used in the advanced hunting portal of Microsoft Defender for Endpoint to further align SMB connections with Net-NTLMv2 behavior.<\/p>\n\n\n\n<p>The query will identify connections involving port 445 (standard for SMB) involving remote public IP addresses. By filtering on both Local and Remote parameters, the query will also include records of the <em>NetworkSignatureInspected<\/em> ActionType. If threat actor infrastructure is attempting to harvest Net-NTLMv2 credentials, the <em>NetworkSignatureInspected<\/em> ActionType should include a <em>SignatureName<\/em> of NTLM-Challenge. This indicates a Net-NTLMv2 negotiation was attempted.<\/p>\n\n\n\n<p>For more information about the <em>NetworkSignatureInspected<\/em> actions, check <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-defender-for-endpoint\/hunting-for-network-signatures-in-microsoft-defender-for\/ba-p\/3429520\">Hunting for network signatures in Microsoft Defender for Endpoint<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/Hunt for SMB to the internet\nlet range = ago(30d);\nDeviceNetworkEvents\n| where Timestamp &gt; range\n\/\/Connections have RemotePort set to 445\n\/\/NetworkSignatureInspected have LocalPort set to 445\n| where RemotePort == 445 or LocalPort == 445\n| where not(ipv4_is_private(RemoteIP)) or not(ipv4_is_private(LocalIP))\n| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)\n| project-reorder Timestamp, DeviceName, ActionType, LocalIP,RemoteIP, LocalPort, RemotePort,SignatureName\n| sort by Timestamp desc\n<\/code><\/pre>\n\n\n\n<p>NOTE: Organizations may consider filtering out their own public IP address space from the query above.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"microsoft-product-detections\">Microsoft product detections<\/h2>\n\n\n\n<p>Organizations using Microsoft Defender for Endpoint or Microsoft Defender for Office 365 can identify threats using the following detections.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Microsoft Defender for Endpoint<\/strong> provides detections with the following titles in the security center can indicate threat activity on your network:\n<ul class=\"wp-block-list\">\n<li><strong>Possible target of Net-NTLMv2 credential theft<\/strong> \u2013 This detects specific attacks observed by Microsoft prior to disclosure of the vulnerability and might not detect variations on the attack after publishing.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Microsoft Defender for Office 365<\/strong> detects messages exploiting this vulnerability and shows administrators the following alerts to indicate that the file contains a critical elevation of privilege exploit related to CVE-2023-23397:<ul><li>Exploit_Office_CVE_2023_23397_A<\/li><\/ul><ul><li>Exploit_Office_CVE_2023_23397_B<\/li><\/ul><ul><li>Exploit_Office_CVE_2023_23397_C<\/li><\/ul><ul><li>Exploit_Office_CVE_2023_23397_D<\/li><\/ul><ul><li>Exploit_Office_CVE_2023_23397_E<\/li><\/ul><ul><li>Exploit_Office_CVE_2023_23397_F<\/li><\/ul><ul><li>Exploit_Office_CVE_2023_23397_G<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>Exploit_Office_CVE_2023_23397_H<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"recommendations\">Recommendations<\/h2>\n\n\n\n<p>Microsoft Incident Response recommends the following steps to mitigate this type of attack and the observed post-exploitation behavior:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure Microsoft Outlook is updated as soon as possible to mitigate the issue. If patching is not immediately possible, ensuring you have implemented these security best practices can help mitigate this threat:<ul><li>Add users to the <a href=\"https:\/\/learn.microsoft.com\/windows-server\/security\/credentials-protection-and-management\/protected-users-security-group?ocid=magicti_ta_learndoc\">Protected Users group<\/a>, which prevents the use of NTLM as an authentication mechanism. This might impact applications that require NTLM, but the settings will revert once the user is removed from the Protected Users group. This makes troubleshooting easier than other methods of disabling NTLM authentication. The Protected Users group provides credential protections beyond disabling NTLM and should be used for high-value accounts, such as domain administrators, when possible.<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/preventing-smb-traffic-from-lateral-connections-and-entering-or-leaving-the-network-c0541db7-2244-0dce-18fd-14a3ddeb282a?ocid=magicti_ta_support\">Block TCP 445\/SMB outbound<\/a> from your network by using a perimeter firewall, local firewall, and through your VPN settings. This helps prevent the exploitation of CVE-2023-23397 to send NTLM authentication messages to remote file shares. For remote users, it is important to check split tunnel VPN settings to ensure outbound traffic is blocked when they are not on your corporate network.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>For organizations leveraging on-premises Microsoft Exchange Server, apply the <a href=\"https:\/\/learn.microsoft.com\/exchange\/new-features\/build-numbers-and-release-dates?view=exchserver-2019\">latest security updates<\/a> to ensure that defense-in-depth mitigations are active.<\/li>\n\n\n\n<li>Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.<\/li>\n\n\n\n<li>For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.<\/li>\n\n\n\n<li>Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.<\/li>\n\n\n\n<li>Disable unnecessary services on Exchange.<\/li>\n\n\n\n<li>Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.<\/li>\n\n\n\n<li>Disable NTLM in your environment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"understanding-mitigations\">Understanding mitigations<\/h3>\n\n\n\n<p>To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization\u2019s support for NTLM authentication.<\/p>\n\n\n\n<p>When using Exchange Online or Exchange server as your mail host, you can take the following additional actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Determine if your organization was targeted by actors attempting to use this vulnerability<\/li>\n\n\n\n<li>Provide defense in depth for new messages received outside your organization&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"protections-in-outlook\">Protections in Outlook<\/h4>\n\n\n\n<p>Outlook for Windows first checks if the path specified by the &nbsp;<em>PidLidReminderFileParameter<\/em> message property is to a location that is not in the local or trusted network. If the path points outside of the local or trusted network locations, the parameter is not honored when updates are installed.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"protections-in-exchange-online\">Protections in Exchange Online<\/h4>\n\n\n\n<p>Exchange Online drops the <em>PidLidReminderFileParameter<\/em> message property at TNEF conversion when a new message is received.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"protections-for-exchange-server\">Protections for Exchange Server<\/h4>\n\n\n\n<p>Exchange Server (with March 2023 SU) drops the <em>PidLidReminderFileParameter<\/em> message property at TNEF conversion when a new message is received.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p>While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability. In this document, Microsoft Incident Response has highlighted threat hunting techniques and strategy for exploitation of this CVE, alongside some hunting techniques for observed post-exploitation threat actor behaviors. Furthermore, a broad threat hunting for anomalous user activity consistent with credential compromise is advised.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"observed-indicators-of-attack\">Observed indicators of attack<\/h2>\n\n\n\n<p>Several malicious samples have been uploaded to VirusTotal.com and a signature has been created that identifies potentially malicious messages associated with exploitation of CVE-2023-23397.<\/p>\n\n\n\n<p>VirusTotal subscribers can review those results here: <a href=\"https:\/\/www.virustotal.com\/gui\/search\/crowdsourced_yara_rule%253A000bc4a247%257CEXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23\">https:\/\/www.virustotal.com\/gui\/search\/crowdsourced_yara_rule%253A000bc4a247%257CEXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23<\/a><\/p>\n\n\n\n<p>Known IP addresses associated with exploitation of this vulnerability in the above VirusTotal results are listed below. NOTE: These IP addresses were assessed by Microsoft Threat Intelligence to be compromised infrastructure.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>101.255.119[.]42<\/li>\n\n\n\n<li>213.32.252[.]221<\/li>\n\n\n\n<li>168.205.200[.]55<\/li>\n\n\n\n<li>185.132.17[.]160<\/li>\n\n\n\n<li>69.162.253[.]21<\/li>\n\n\n\n<li>113.160.234[.]229<\/li>\n\n\n\n<li>181.209.99[.]204<\/li>\n\n\n\n<li>82.196.113[.]102<\/li>\n\n\n\n<li>85.195.206[.]7<\/li>\n\n\n\n<li>61.14.68[.]33<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h2>\n\n\n\n<p>Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n\n\n\n<p><strong>Microsoft Defender Threat Intelligence<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/ti.defender.microsoft.com\/articles\/d34c6079\">Multiple threat actors continue to exploit WinRAR vulnerability CVE-2023-38831<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/ti.defender.microsoft.com\/articles\/4801b921\">Forest Blizzard uses Exchange PowerShell for persistence<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/ti.defender.microsoft.com\/articles\/1bccfe3f\">CVE-2023-23397 Microsoft Outlook elevation of privilege vulnerability leads to NTLM credential theft<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/ti.defender.microsoft.com\/intel-profiles\/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8\/description\">Forest Blizzard<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Microsoft 365 Defender Threat analytics<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/security.microsoft.com\/threatanalytics3\/752538a3-9738-420d-8ca5-fa8afbfb8b5a\/analystreport?search=forest%2520blizzard&amp;tid=0553df8d-f650-4a9b-b0b8-f97df0aedfce\">Actor profile: Forest Blizzard<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/security.microsoft.com\/threatanalytics3\/dc1b73e6-9bf4-4b0f-8f3a-df9758abf5b6\/analystreport?search=forest%2520blizzard&amp;tid=0553df8d-f650-4a9b-b0b8-f97df0aedfce\">CVE-2023-23397: Microsoft Outlook elevation of privilege vulnerability leads to NTLM credential theft<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/security.microsoft.com\/threatanalytics3\/e88120d2-8e14-475b-a573-20b3a36d3e6b\/analystreport?search=forest%2520blizzard&amp;tid=0553df8d-f650-4a9b-b0b8-f97df0aedfce\">Vulnerability profile: CVE-2023-38831 in WinRAR<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"further-reading\">Further reading<\/h2>\n\n\n\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n\n\n\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/twitter.com\/MsftSecIntel<\/a>.<\/p>\n\n\n\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. <\/p>\n","protected":false},"author":68,"featured_media":126869,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3687],"products":[3690,3694,3854,3720],"threat-intelligence":[3727],"tags":[3896,3898,3829],"coauthors":[2064],"class_list":["post-126855","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-incident-response","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-for-endpoint","products-microsoft-incident-response","products-microsoft-security-experts","threat-intelligence-attacker-techniques-tools-and-infrastructure","tag-credential-theft","tag-elevation-of-privilege","tag-forest-blizzard-strontium","review-flag-1694638264-948","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-7-1694638266-851","review-flag-8-1694638266-352","review-flag-and-o-1694638265-458","review-flag-disable","review-flag-fall-1694638270-285","review-flag-lever-1694638263-909","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"This guide provides steps to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"This guide provides steps to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-24T18:30:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-03T14:48:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"}],\"headline\":\"Guidance for investigating attacks using CVE-2023-23397\",\"datePublished\":\"2023-03-24T18:30:00+00:00\",\"dateModified\":\"2024-07-03T14:48:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\"},\"wordCount\":4743,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg\",\"keywords\":[\"Credential theft\",\"Elevation of privilege\",\"Forest Blizzard (STRONTIUM)\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\",\"name\":\"Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg\",\"datePublished\":\"2023-03-24T18:30:00+00:00\",\"dateModified\":\"2024-07-03T14:48:16+00:00\",\"description\":\"This guide provides steps to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Photo of enterprise office workers in focused work in an open work space.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Guidance for investigating attacks using CVE-2023-23397\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog","description":"This guide provides steps to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/","og_locale":"en_US","og_type":"article","og_title":"Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog","og_description":"This guide provides steps to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/","og_site_name":"Microsoft Security Blog","article_published_time":"2023-03-24T18:30:00+00:00","article_modified_time":"2024-07-03T14:48:16+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg","type":"image\/jpeg"}],"author":"Microsoft Incident Response","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Incident Response","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"}],"headline":"Guidance for investigating attacks using CVE-2023-23397","datePublished":"2023-03-24T18:30:00+00:00","dateModified":"2024-07-03T14:48:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/"},"wordCount":4743,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg","keywords":["Credential theft","Elevation of privilege","Forest Blizzard (STRONTIUM)"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/","name":"Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg","datePublished":"2023-03-24T18:30:00+00:00","dateModified":"2024-07-03T14:48:16+00:00","description":"This guide provides steps to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/03\/Invesetigation-guidance-CVE-2023-23397.jpg","width":1200,"height":800,"caption":"Photo of enterprise office workers in focused work in an open work space."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/03\/24\/guidance-for-investigating-attacks-using-cve-2023-23397\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Guidance for investigating attacks using CVE-2023-23397"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/126855"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=126855"}],"version-history":[{"count":6,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/126855\/revisions"}],"predecessor-version":[{"id":133445,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/126855\/revisions\/133445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/126869"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=126855"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=126855"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=126855"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=126855"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=126855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=126855"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=126855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}