Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Does EDR Capture CVE-2023-23397 in a Threat Intelligence Feed?

EDR: Does EDR Capture CVE-2023-23397 in a Threat Intelligence Feed?

Environment

  • EDR Server: All Versions
  • Threat Intelligence

Question

Does the EDR server have a threat intelligence feed to monitor for CVE-2023-23397?
  • Microsoft Outlook Elevation of Privilege Vulnerability 

Answer

  • The detecting the malicious message properties themselves is something better handled by an email security gateway as this is all happening on the network layer.
  • You can create a watchlist specific to your environment that looks for netconns to standard SMB and LDAP ports for IP ranges outside of where your authentication infrastructure is located. This can help monitor an attempt occurring from the EDR side. Because of the need for something very specific to your environment, a threat intelligence feed cannot be created. 

Additional Notes

  • VMware Carbon Black support does not assist with writing queries. For any further inquiries on creating a watchlist to monitor this, please engage in the threat intelligence discussion on the community forums. Community Discussion on CVE-2023-23397 Detections

Related Content


Labels (2)
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎03-20-2023
Views:
792
Contributors