Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added analytic rule for vulnerability of CVE-2023-4863 #9162

Merged
merged 8 commits into from
Oct 11, 2023
Merged

Added analytic rule for vulnerability of CVE-2023-4863 #9162

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a4b75cc
Added analytic rule for vulnerability of CVE-2023-4863
kfriede Oct 5, 2023
dc84dca
Add data connectors field and move file to M365 Defender
kfriede Oct 5, 2023
2331d4e
Removed entity to meet 5 maximum requirement
kfriede Oct 5, 2023
a46fa1a
Added version and TTPs
kfriede Oct 9, 2023
bbf7bc0
Added tag
kfriede Oct 9, 2023
cb4ec57
Grouped entities by fieldMappings
kfriede Oct 10, 2023
0b11c06
Update PossibleWebpBufferOverflow.yaml
v-atulyadav Oct 11, 2023
64c4717
Update PossibleWebpBufferOverflow.yaml
v-atulyadav Oct 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
id: 26e81021-2de6-4442-a74a-a77885e96911
name: Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
description: |
'This query looks at device, process, and network events from Defender for Endpoint that may be vulnerable to buffer overflow defined in CVE-2023-4863. Results are not an indicator of malicious activity.'
severity: Informational
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1203
tags:
- CVE-2023-4863
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
- DeviceEvents
- DeviceTvmSoftwareVulnerabilities
query: |-
//CVE-2023-4863 Process activity with .webp files on devices where CVE-2023-4863 is unpatched
//This query shows all process activity with .webp files on vulnerable machines and is not an indicator of malicious activity
let VulnDevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2023-4863"
| distinct DeviceId;
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where DeviceId in (VulnDevices) and InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp")
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountName
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ProcessId
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: InitiatingProcessId
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
suppressionEnabled: false
incidentConfiguration:
createIncident: false
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
suppressionDuration: 5h
alertDetailsOverride:
alertDisplayNameFormat: Possible exploitation of CVE-2023-4863
alertDynamicProperties: []
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0