PRUEBA AHORA

Storm-0978 Attacks Mitigation Audit

Software Vulnerability

Monitor Your Mitigation Progress for CVE-2023-36884

CISA has ordered federal agencies to mitigate the REC zero-day vulnerabilities affecting Windows and Office before the 8th of August. This gives you just three weeks to implement the mitigations. The vulnerabilities have been exploited in phishing attacks against NATO. The exploited remote code execution vulnerabilities have been collectively tracked as CVE-2023-36884. Microsoft has confirmed that these vulnerabilities have been exploited in cyberattacks against government entities in North America and Europe. The attackers used malicious Office documents impersonating the Ukrainian World Congress organization to target participants of the NATO Summit in Vilnius.

If you are using Microsoft 365 Apps versions 2302 or higher, you are safe from attachments that try to exploit the vulnerability. Otherwise, you can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. If you are using the registry key. If you’re looking for a more basic view of which Office versions you have in your environment, you can use the Microsoft Office Version Audit.

Before running the audit, add the registry keys recommended by Microsoft’s security advisory to your custom registry scanning.

Storm-0978 Attacks Mitigation Lansweeper On-Prem Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.Version,
tblAssets.SP,
Case
When TsysLastscan.Lasttime < GetDate() - 1 Then
'Last registry scan more than 24 hours ago! Information may not be up-to-date. Try rescanning this machine.'
End As Comment,
Case
When Excel.Valuename Is Not Null And Excel.Valuename <> '' Then 'Yes'
Else 'No'
End As [Excel RegKey Found],
Excel.Value As ExcelValue,
Case
When Graph.Valuename Is Not Null And Graph.Valuename <> '' Then 'Yes'
Else 'No'
End As [Graph RegKey Found],
Graph.Value As GraphValue,
Case
When MSAccess.Valuename Is Not Null And MSAccess.Valuename <> '' Then 'Yes'
Else 'No'
End As [MSAccess RegKey Found],
MSAccess.Value As MSAccessValue,
Case
When MSPub.Valuename Is Not Null And MSPub.Valuename <> '' Then 'Yes'
Else 'No'
End As [MSPub RegKey Found],
MSPub.Value As MSPubValue,
Case
When Powerpnt.Valuename Is Not Null And Powerpnt.Valuename <> '' Then 'Yes'
Else 'No'
End As [Powerpnt RegKey Found],
Powerpnt.Value As PowerpntValue,
Case
When Visio.Valuename Is Not Null And Visio.Valuename <> '' Then 'Yes'
Else 'No'
End As [Visio RegKey Found],
Visio.Value As VisioValue,
Case
When WinProj.Valuename Is Not Null And WinProj.Valuename <> '' Then 'Yes'
Else 'No'
End As [WinProj RegKey Found],
WinProj.Value As WinProjValue,
Case
When WinWord.Valuename Is Not Null And WinWord.Valuename <> '' Then 'Yes'
Else 'No'
End As [WinWord RegKey Found],
WinWord.Value As WinWordValue,
Case
When Wordpad.Valuename Is Not Null And Wordpad.Valuename <> '' Then 'Yes'
Else 'No'
End As [Wordpad RegKey Found],
Wordpad.Value As WordpadValue,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
TsysLastscan.Lasttime As LastRegistryScan,
tblAssets.Firstseen,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'Excel.exe') Excel On Excel.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'Graph.exe') Graph On Graph.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'MSAccess.exe') MSAccess On MSAccess.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'MSPub.exe') MSPub On MSPub.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'Powerpnt.exe') Powerpnt On Powerpnt.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'Visio.exe') Visio On Visio.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'WinProj.exe') WinProj On WinProj.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'WinWord.exe') WinWord On WinWord.AssetID = tblAssets.AssetID
Left Join (Select Top 1000000 tblRegistry.AssetID,
tblRegistry.Regkey,
tblRegistry.Valuename,
tblRegistry.Value,
tblRegistry.Lastchanged
From tblRegistry
Where
tblRegistry.Regkey Like
'%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION'
 And tblRegistry.Valuename = 'Wordpad.exe') Wordpad On Wordpad.AssetID = tblAssets.AssetID
Inner Join tblComputersystem On tblComputersystem.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' And
tblComputersystem.Domainrole = 1
Order By tblAssets.Domain,
tblAssets.AssetName

Show

Hide