From a4b75cc0ac11c8bd78bdede8e7e877c76ef130e6 Mon Sep 17 00:00:00 2001 From: Kevin Friedemann Date: Thu, 5 Oct 2023 14:32:26 -0400 Subject: [PATCH 1/8] Added analytic rule for vulnerability of CVE-2023-4863 --- .../PossibleWebpBufferOverflow.yaml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml diff --git a/Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml new file mode 100644 index 00000000000..d5e445bb667 --- /dev/null +++ b/Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -0,0 +1,62 @@ +id: 26e81021-2de6-4442-a74a-a77885e96911 +name: Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 +description: | + 'This query looks at device, process, and network events from Defender for Endpoint that may be vulnerable to buffer overflow defined in CVE-2023-4863. Results are not an indicator of malicious activity.' +severity: Informational +status: Available +kind: Scheduled +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +query: |- + //CVE-2023-4863 Process activity with .webp files on devices where CVE-2023-4863 is unpatched + //This query shows all process activity with .webp files on vulnerable machines and is not an indicator of malicious activity + let VulnDevices = DeviceTvmSoftwareVulnerabilities + | where CveId == "CVE-2023-4863" + | distinct DeviceId; + union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents + | where DeviceId in (VulnDevices) and InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp") +entityMappings: +- entityType: Host + fieldMappings: + - identifier: HostName + columnName: DeviceName +- entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountName +- entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ProcessId +- entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: InitiatingProcessId +- entityType: Process + fieldMappings: + - identifier: CommandLine + columnName: InitiatingProcessCommandLine +- entityType: Process + fieldMappings: + - identifier: CommandLine + columnName: ProcessCommandLine +suppressionEnabled: false +incidentConfiguration: + createIncident: false + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: Selected + groupByEntities: + - Account + groupByAlertDetails: [] + groupByCustomDetails: [] +suppressionDuration: 5h +alertDetailsOverride: + alertDisplayNameFormat: Possible exploitation of CVE-2023-4863 + alertDynamicProperties: [] +eventGroupingSettings: + aggregationKind: SingleAlert \ No newline at end of file From dc84dca5c2b02d2c209825a5db8203854cb9933e Mon Sep 17 00:00:00 2001 From: Kevin Friedemann Date: Thu, 5 Oct 2023 17:06:41 -0400 Subject: [PATCH 2/8] Add data connectors field and move file to M365 Defender --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 7 +++++++ 1 file changed, 7 insertions(+) rename Solutions/{Microsoft 365 => Microsoft 365 Defender}/Analytic Rules/PossibleWebpBufferOverflow.yaml (88%) diff --git a/Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml similarity index 88% rename from Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml rename to Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index d5e445bb667..37103a77832 100644 --- a/Solutions/Microsoft 365/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -9,6 +9,13 @@ queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceProcessEvents + - DeviceNetworkEvents + - DeviceEvents + - DeviceTvmSoftwareVulnerabilities query: |- //CVE-2023-4863 Process activity with .webp files on devices where CVE-2023-4863 is unpatched //This query shows all process activity with .webp files on vulnerable machines and is not an indicator of malicious activity From 2331d4e2158ce2d140339acadeea952217014ac9 Mon Sep 17 00:00:00 2001 From: Kevin Friedemann Date: Thu, 5 Oct 2023 17:19:32 -0400 Subject: [PATCH 3/8] Removed entity to meet 5 maximum requirement --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index 37103a77832..c50561d78f5 100644 --- a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -41,10 +41,6 @@ entityMappings: fieldMappings: - identifier: ProcessId columnName: InitiatingProcessId -- entityType: Process - fieldMappings: - - identifier: CommandLine - columnName: InitiatingProcessCommandLine - entityType: Process fieldMappings: - identifier: CommandLine From a46fa1a63703b7b394ef5c54f6455fa6ed0908e8 Mon Sep 17 00:00:00 2001 From: Kevin Friedemann Date: Mon, 9 Oct 2023 08:35:41 -0400 Subject: [PATCH 4/8] Added version and TTPs --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index c50561d78f5..9ffc1061ca2 100644 --- a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -9,6 +9,10 @@ queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 +tactics: + - Execution +relevantTechniques: + - T1203 requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: @@ -62,4 +66,5 @@ alertDetailsOverride: alertDisplayNameFormat: Possible exploitation of CVE-2023-4863 alertDynamicProperties: [] eventGroupingSettings: - aggregationKind: SingleAlert \ No newline at end of file + aggregationKind: SingleAlert +version: 1.0.0 \ No newline at end of file From bbf7bc07c1ef698ba872180f5a16051db1b6ece9 Mon Sep 17 00:00:00 2001 From: Kevin Friedemann Date: Mon, 9 Oct 2023 08:42:46 -0400 Subject: [PATCH 5/8] Added tag --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index 9ffc1061ca2..4315ca9d9ae 100644 --- a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -13,6 +13,8 @@ tactics: - Execution relevantTechniques: - T1203 +tags: + - CVE-2023-4863 requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: From cb4ec572c844d33028e2159c0873727914e47c96 Mon Sep 17 00:00:00 2001 From: Kevin Friedemann Date: Tue, 10 Oct 2023 08:34:28 -0400 Subject: [PATCH 6/8] Grouped entities by fieldMappings --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index 4315ca9d9ae..4e9dac631cf 100644 --- a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -43,12 +43,8 @@ entityMappings: fieldMappings: - identifier: ProcessId columnName: ProcessId -- entityType: Process - fieldMappings: - identifier: ProcessId columnName: InitiatingProcessId -- entityType: Process - fieldMappings: - identifier: CommandLine columnName: ProcessCommandLine suppressionEnabled: false From 0b11c0680001e7933afadbe2794a63bc02abd013 Mon Sep 17 00:00:00 2001 From: v-atulyadav <104008048+v-atulyadav@users.noreply.github.com> Date: Wed, 11 Oct 2023 12:23:58 +0530 Subject: [PATCH 7/8] Update PossibleWebpBufferOverflow.yaml --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index 4e9dac631cf..15f97dd1628 100644 --- a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -40,11 +40,14 @@ entityMappings: - identifier: FullName columnName: AccountName - entityType: Process - fieldMappings: - identifier: ProcessId columnName: ProcessId +- entityType: Process + fieldMappings: - identifier: ProcessId columnName: InitiatingProcessId +- entityType: Process + fieldMappings: - identifier: CommandLine columnName: ProcessCommandLine suppressionEnabled: false From 64c4717041775bad6839c2580963a25f2ccec6ac Mon Sep 17 00:00:00 2001 From: v-atulyadav <104008048+v-atulyadav@users.noreply.github.com> Date: Wed, 11 Oct 2023 12:35:34 +0530 Subject: [PATCH 8/8] Update PossibleWebpBufferOverflow.yaml --- .../Analytic Rules/PossibleWebpBufferOverflow.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml index 15f97dd1628..4315ca9d9ae 100644 --- a/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -40,6 +40,7 @@ entityMappings: - identifier: FullName columnName: AccountName - entityType: Process + fieldMappings: - identifier: ProcessId columnName: ProcessId - entityType: Process