This technique leverages the Transport Neutral Encapsulation Format (TNEF). Microsoft has traced evidence of potential exploitation of this vulnerability as early as April 2022. Outlook for Android, iOS, Mac, and users who use Outlook on the web (OWA) without using the Outlook client are not affected.
#WINDOWS SYSTEM INDICATORS OF ATTACK WINDOWS#
All versions of Microsoft Outlook on Windows are impacted. As these are NTLMv2 hashes, they cannot be leveraged as part of a Pass-the-Hash technique.
#WINDOWS SYSTEM INDICATORS OF ATTACK OFFLINE#
The connection to the remote SMB server sends the user’s Net-NTLMv2 hash in a negotiation message, which the threat actor can either a) relay for authentication against other systems that support NTLMv2 authentication or b) perform offline cracking to extract the password. The user does not need to interact with the message: if Outlook on Windows is open when the reminder is triggered, it allows exploitation. In exploitation of CVE-2023-23397, threat actors can specify the value for the PidLidReminderFileParameter in specially crafted messages to trigger a Net-NTLMv2 hash leak to threat actor-controlled servers. This message includes the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property, which must be set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server message block (SMB)/transmission control protocol (TCP) port 445). It is exploited when a threat actor delivers a specially crafted message to a user. Understanding the vulnerability (CVE-2023-23397)ĬVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows. However, there are numerous ways that a leaked Net-NTLMv2 hash could be used by a threat actor. In this blog, we emphasize specific observed post-exploitation activity that targeted Microsoft Exchange Server. Abuse of the leaked Net-NTLMv2 hash is post-exploitation activity. This vulnerability triggers a Net-NTLMv2 hash leak. This blog describes how Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) was able to detect the abuse of CVE-2023-23397 and how organizations can identify historical and present evidence of compromise through this vulnerability. Mitigations available to protect your environmentĮxploitation of CVE-2023-23397 leaves very few forensic artifacts to discover in traditional endpoint forensic analysis.Techniques for determining if an organization was targeted or compromised via this vulnerability.Post-exploit activities observed in attacks.Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. Microsoft Purview Data Lifecycle Management.Microsoft Purview Information Protection.Information protection Information protection.Microsoft Priva Subject Rights Requests.Microsoft Purview Communication Compliance.Microsoft Purview Insider Risk Management.Risk management & privacy Risk management & privacy.Microsoft Intune Endpoint Privilege Management.Endpoint security & management Endpoint security & management.Microsoft Defender External Attack Surface Management.Microsoft Defender Cloud Security Posture Mgmt.Microsoft Defender Vulnerability Management.Microsoft Entra ID (Azure Active Directory).
0 kommentar(er)
