Security Bulletin: Microsoft Zero-Day Office & Windows Vulnerability

By Bryan Bollou, Team Lead, Cybersecurity Engineering

Purpose of TekStream Security Bulletins

With the TekStream Security Bulletin, we are presenting some specific detection use cases using everyone’s favorite SIEM Splunk! We’ve cherry-picked vulnerabilities that are not only intriguing but also directly impactful for our valued clients. These vulnerabilities were chosen based on a multitude of factors, ranging from the technology in the crosshairs to the specific sectors being targeted. This is not a blog post to fully explain or give recommendations on remediating the vulnerability – this has been discussed at length by various resources. The goal here is to aggregate the detections to maximize your chances of detecting an attempt to exploit these vulnerabilities. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the vulnerability being exploited. Here at TekStream, we have an amazing team of cybersecurity engineers armed with a deep knowledge of logs and the secrets they hold, ready to fortify your cyber resiliency!

Introduction

Confirmed to have been in use since July 3rd, 2023, the vulnerability CVE-2023-36884 is a zero-day Office and Windows HTML Remote Code Execution Vulnerability. This is an unpatched vulnerability that could be exploited by doing the following. 

  • An attacker designs a Microsoft document that downloads a malicious file when simply opened by an unsuspecting user. 
  • The malicious file downloaded has a script that injects an iframe into the system.  
  • This then leads to another download with a malicious payload. This payload can contain any number of malware including adware, spyware, and even ransomware. A well-known malware family associated with this vulnerability is “RomCom” malware. 

Threat Overview

The vulnerability has been acknowledged by Microsoft and they have suggested various mitigation steps to prevent its exploitation. These steps include Blocking Office applications from creating child processes or setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. In this blog post, we would like to present some specific detection use cases using everyone’s favorite SIEM: Splunk

For information on remediating the vulnerability, various resources have discussed this at length, notably Picus Security. We recommend you review their assessment.

Aggregate Detections

The goal here is to aggregate the detections to maximize your chances of detecting an attempt to exploit this vulnerability. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the CVE-2023-36884 vulnerability being exploited. Here at TekStream, we have several security engineers that are intimate with cybersecurity knowledge and especially the logs of our clients.  

In this blog post, we go through the various steps in CVE-2023-36884 vulnerability exploitation and detection. With this format, we are providing a more generic data model “tstats” command. This is taking advantage of the data model to quickly find data that may match our IOC list. We then provide examples of a more specific search that will add context to the first find. There will be a wide variety of specific searches as each client has their own specific technologies.  

Note: The initial infected Microsoft document is normally sent to the victims through a phishing campaign. Detecting this part is not covered in this blog post.  


The following detection steps mirror the stages and TTP-related indicators used in the attack: 

  1. Detect if any Microsoft application started processes with PowerShell or a Windows shell – cmd.exe or powershell.exe.  
  1. Detect connections to IP addresses associated with malware known to exploit this vulnerability. 
  1. Detect connections to domains associated with malware known to exploit this vulnerability. Also, detect connections to URLs associated with malware that exploit this vulnerability and allow users to pay ransoms. 
  1. Detect if a “.url” file was created in Microsoft Office’s recent folder: C:\Documents and Settings\user profile\Application Data\Microsoft\Office\Recent. 
  1. Detect hashes and filenames of scripts known to exploit this vulnerability. 

Threat Implication

  • Phishing campaigns with Microsoft document attachments are the main method of delivery to exploit this vulnerability. 
  • Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. 

Threat Detection

Step 1

When exploiting this vulnerability, a maliciously modified document is normally sent to a victim in a phishing email. This document will then spawn a child process when opened by an Office application to download more malicious files. Thus, detecting if any Microsoft application started processes with PowerShell or a Windows shell – cmd.exe or powershell.exe is the first step in detection.

Actions Detect
SPL
| tstats `summariesonly` latest(_time) as _time, values(Processes.user) as user, values(Processes.process) as process, latest(Processes.parent_process) as parent_process, latest(Processes.parent_process_exec) as parent_process_exec, latest(Processes.parent_process_guid) as parent_process_guid, latest(Processes.parent_process_id) as parent_process_id, latest(Processes.parent_process_path) as parent_process_path, latest(Processes.process_path) as process_path, latest(Processes.process_exec) as process_exec, latest(Processes.process_guid) as process_guid, latest(Processes.process_id) as process_id, latest(Processes.process_hash) as process_hash from datamodel="Endpoint"."Processes" where (Processes.parent_process IN ("Excel.exe","Graph.exe","MSAccess.exe","MSPub.exe","PowerPoint.exe","Visio.exe","WinProj.exe","WinWord.exe","Wordpad.exe") AND Processes.process IN ("cmd.exe","powershell.exe")) by Processes.dest, Processes.process_name, Processes.parent_process_name| head 10000 | `drop_dm_object_name("Processes")`| fields _time, dest, user, process_name, process, process_hash, process_path, process_exec, process_id, process_guid, parent_process, parent_process_name, parent_process_path, parent_process_exec, parent_process_guid, parent_process_id 

Step 2

There are two steps in the exploitation of this vulnerability in which a maliciously modified document may attempt to connect to an external source to download additional malicious scripts and/or payloads. To detect the connection to some of the known destinations associated with this malware, this detection looks for attempted connections to known bad IP addresses.

Actions Detect

Attempted Connections to the following IP addresses. Note: These and other IOCs are listed in the CSV attached at the end of this blog post.

SPL
| tstats `summariesonly` latest(_time) as _time, sum("All_Traffic.bytes") as bytes, values("All_Traffic.src_port") as src_port, values("All_Traffic.transport") as transport, values("All_Traffic.dest_port") as dest_port from datamodel="Network_Traffic"."All_Traffic" where All_Traffic.src IN ("104.234.239.26","138.124.183.8","209.127.116.190","209.159.147.170","45.9.148.118","45.9.148.123","45.9.148.219","65.21.27.250","66.23.226.102","74.50.94.156 ","74.50.94.156","94.232.40.34") OR All_Traffic.dest IN ("104.234.239.26","138.124.183.8","209.127.116.190","209.159.147.170","45.9.148.118","45.9.148.123","45.9.148.219","65.21.27.250","66.23.226.102","74.50.94.156 ","74.50.94.156","94.232.40.34") by "All_Traffic.action", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.user" | head 10000 | `drop_dm_object_name("All_Traffic")`| eval earliest_time = IF(isnum("$earliest_time$"),"$earliest_time$",strftime(relative_time(now(),"$earliest_time$"),"%s")) | eval latest_time = CASE(isnum("$latest_time$"),"$latest_time$","$latest_time$"="now",now(),1=1,strftime(relative_time(now(),"$latest_time$"),"%s")) | where _time >= earliest_time AND _time <= latest_time | head 10000 | table action, src, src_port, dest, transport, dest_port, user, bytes 

Step 3

Like above, there are two steps in the exploitation of this vulnerability in which a maliciously modified document may attempt to connect to an external source to download additional malicious scripts and/or payloads. To detect the connection to some of the known destinations associated with this malware, this detection looks for attempted connections to known bad domains.

Detect connections to URLs associated with malware that exploit this vulnerability and allow users to pay ransoms.

Actions Detect

Attempted Connections to the list of domains. IOC Domain Checklist

SPL

Detect Domains

| tstats `summariesonly` sum("Web.bytes") as bytes,values("Web.http_content_type") as http_content_type,values("Web.http_method") as http_method,values("Web.http_user_agent") as http_user_agent,values("Web.status") as status from datamodel="Web"."Web" by "Web.src", "Web.dest", "Web.user", "Web.http_referrer", "Web.url", _time | `drop_dm_object_name("Web")` | where match(url, "(?i)(altimata.org)|(bentaxworld.com)|(finformservice.com)|(penofach.com)|(ukrainianworldcongress.info)|(wexonlake.com)") | fields _time src, dest, user, http_referrer, url, http_content_type, http_method, http_user_agent, status, bytes | eval ip_pair = src . " - " . dest  | stats values(_time) as Time values(ip_pair) AS src_dest, values(user) as user, values(http_referrer) as http_referrer, values(http_user_agent) as http_user_agent, values(http_method) as http_method, values(status) as status, values(bytes) as bytes count by url | fieldformat Time = strftime(Time,"%m/%d/%Y %T") 

Detect URLs 

| tstats `summariesonly` sum("Web.bytes") as bytes,values("Web.http_content_type") as http_content_type,values("Web.http_method") as http_method,values("Web.http_user_agent") as http_user_agent,values("Web.status") as status from datamodel="Web"."Web" where Web.url IN ("http://finformservice.com:80/api/v1.5/subscriptiontoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9","http://finformservice.com:80/api/v1.5/subscriptiontoken=eyJpZCI6MTIzNDU2Nzg5LCJuYW1lIjoiSm9zZXBoIn0","http://finformservice.com:80/api/v1.5/subscriptiontoken=OpOSSw7e485LOP5PrzScxHb7SR6sAOMRckfFwi4rp7o","http://65.21.27.250:8080/mds/O--------------------------","http://finformservicecom:8080/mds/S-------------------------- ") by "Web.src", "Web.dest", "Web.user", "Web.http_referrer", "Web.url", _time | `drop_dm_object_name("Web")` | fields _time src, dest, user, http_referrer, url, http_content_type, http_method, http_user_agent, status, bytes | eval ip_pair = src . " - " . dest | stats values(_time) as Time values(ip_pair) AS src_dest, values(user) as user, values(http_referrer) as http_referrer, values(http_user_agent) as http_user_agent, values(http_method) as http_method, values(status) as status, values(bytes) as bytes count by url| fieldformat Time = strftime(Time,"%m/%d/%Y %T") 

Step 4

During the exploitation of the vulnerability, a new file normally one with a “.url” extension has been seen to be dropped. This would be detected in the Microsoft Office’s “recent” folder: C:\Documents and Settings\user profile\Application Data\Microsoft\Office\Recent

Actions Detect

A file with the extension “.url” created or moved into the Microsoft Office “recent” folder.

SPL
| tstats `summariesonly` latest(_time) as _time, latest(Filesystem.file_create_time) as file_create_time, latest(Filesystem.file_modify_time) as file_modify_time, latest(Filesystem.file_access_time) as file_access_time from datamodel="Endpoint"."Filesystem", values(Filesystem.dest) as dest, values(Filesystem.action) as action, values(Filesystem.file_name) as file_name, values(Filesystem.file_hash) as file_hash, values(Filesystem.file_path) as file_path, values(Filesystem.file_size) as file_size |`drop_dm_object_name("Filesystem")` | where match (file_name, "(i?)(\.url)$” AND match(file_path, “(?i)( C\:\\\\Documents and Settings\\\\.*\\\\Application Data\\\\Microsoft\\\\Office\\\\Recent))”| fields _time, dest, action, file_name, file_hash, file_path, file_size, file_create_time, file_modify_time, file_access_time 
| fieldformat Time = strftime(_time,"%m/%d/%Y %T") 

Step 5

While there is a ton of variety for the malware payload that can be downloaded in the last step of this vulnerability’s exploitation, there are certain scripts seen often. This detection is to find the hashes of these commonly seen malicious scripts in a client’s environment.

Actions Detect

The occurrence of the following hashes in the environment.

SPL
| tstats `summariesonly` latest(_time) as _time, latest(Filesystem.file_create_time) as file_create_time, latest(Filesystem.file_modify_time) as file_modify_time, latest(Filesystem.file_access_time) as file_access_time from datamodel="Endpoint"."Filesystem", values(Filesystem.dest) as dest, values(Filesystem.action) as action, values(Filesystem.file_name) as file_name, values(Filesystem.file_hash) as file_hash, values(Filesystem.file_path) as file_path, values(Filesystem.file_size) as file_size where Filesystem.file_hash IN ("0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a","07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d","1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f","3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97","48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05e72abad0978b27e90","5f40cb4852ec50ee24f3cd951a172c725d02012d17dd645b6ce22d324aa140ad","a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f","d3263cc3eff826431c2016aee674c7e3e5329bebfb7a145907de39a279859f4a","e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539") |`drop_dm_object_name("Filesystem")` | fields _time, dest, action, file_name, file_hash, file_path, file_size, file_create_time, file_modify_time, file_access_time 
| fieldformat Time = strftime(_time,"%m/%d/%Y %T") 

Conclusion

It is highly recommended to implement scheduled searches using lookup tables, as demonstrated above, to enhance the precision of matching specific and novel detections. By setting these searches to run continuously, you can ensure constant monitoring of your assets for emerging vulnerabilities. To maintain timeliness and efficiency, it is essential to remove old, patched vulnerabilities from the lookup table. If you need assistance in creating a dynamic and customizable process tailored to your environment, feel free to consult our experts by completing the form below. Additionally, stay informed by subscribing to the TekStream blog for the latest monthly security bulletin and applying the most recent detections to fortify your systems. Happy Splunking! 

References

Articles referenced and used for this security bulletin:

CVE-2023-36884 – Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)

Storm-0978 attacks reveal financial and espionage motives

CVE-2023-36884: A Detailed Look at The Recent Microsoft Vulnerability

Yet Another Microsoft Office365 zero-day: CVE-2023-36884

Disclaimer

The approaches recommended herein have not been tested broadly across the TekStream customer base. They are preliminary in nature and come without any certification of efficacy.