Storm-0978 Attacks Mitigation Audit
Software VulnerabilityMonitor Your Mitigation Progress for CVE-2023-36884
CISA has ordered federal agencies to mitigate the REC zero-day vulnerabilities affecting Windows and Office before the 8th of August. This gives you just three weeks to implement the mitigations. The vulnerabilities have been exploited in phishing attacks against NATO. The exploited remote code execution vulnerabilities have been collectively tracked as CVE-2023-36884. Microsoft has confirmed that these vulnerabilities have been exploited in cyberattacks against government entities in North America and Europe. The attackers used malicious Office documents impersonating the Ukrainian World Congress organization to target participants of the NATO Summit in Vilnius.
If you are using Microsoft 365 Apps versions 2302 or higher, you are safe from attachments that try to exploit the vulnerability. Otherwise, you can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. If you are using the registry key. If you’re looking for a more basic view of which Office versions you have in your environment, you can use the Microsoft Office Version Audit.
Storm-0978 Attacks Mitigation Lansweeper On-Prem Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, tblAssets.Version, tblAssets.SP, Case When TsysLastscan.Lasttime < GetDate() - 1 Then 'Last registry scan more than 24 hours ago! Information may not be up-to-date. Try rescanning this machine.' End As Comment, Case When Excel.Valuename Is Not Null And Excel.Valuename <> '' Then 'Yes' Else 'No' End As [Excel RegKey Found], Excel.Value As ExcelValue, Case When Graph.Valuename Is Not Null And Graph.Valuename <> '' Then 'Yes' Else 'No' End As [Graph RegKey Found], Graph.Value As GraphValue, Case When MSAccess.Valuename Is Not Null And MSAccess.Valuename <> '' Then 'Yes' Else 'No' End As [MSAccess RegKey Found], MSAccess.Value As MSAccessValue, Case When MSPub.Valuename Is Not Null And MSPub.Valuename <> '' Then 'Yes' Else 'No' End As [MSPub RegKey Found], MSPub.Value As MSPubValue, Case When Powerpnt.Valuename Is Not Null And Powerpnt.Valuename <> '' Then 'Yes' Else 'No' End As [Powerpnt RegKey Found], Powerpnt.Value As PowerpntValue, Case When Visio.Valuename Is Not Null And Visio.Valuename <> '' Then 'Yes' Else 'No' End As [Visio RegKey Found], Visio.Value As VisioValue, Case When WinProj.Valuename Is Not Null And WinProj.Valuename <> '' Then 'Yes' Else 'No' End As [WinProj RegKey Found], WinProj.Value As WinProjValue, Case When WinWord.Valuename Is Not Null And WinWord.Valuename <> '' Then 'Yes' Else 'No' End As [WinWord RegKey Found], WinWord.Value As WinWordValue, Case When Wordpad.Valuename Is Not Null And Wordpad.Valuename <> '' Then 'Yes' Else 'No' End As [Wordpad RegKey Found], Wordpad.Value As WordpadValue, Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, TsysLastscan.Lasttime As LastRegistryScan, tblAssets.Firstseen, tblAssets.Lastseen, tblAssets.Lasttried From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'Excel.exe') Excel On Excel.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'Graph.exe') Graph On Graph.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'MSAccess.exe') MSAccess On MSAccess.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'MSPub.exe') MSPub On MSPub.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'Powerpnt.exe') Powerpnt On Powerpnt.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'Visio.exe') Visio On Visio.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'WinProj.exe') WinProj On WinProj.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'WinWord.exe') WinWord On WinWord.AssetID = tblAssets.AssetID Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION' And tblRegistry.Valuename = 'Wordpad.exe') Wordpad On Wordpad.AssetID = tblAssets.AssetID Inner Join tblComputersystem On tblComputersystem.AssetID = tblAssets.AssetID Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' And tblComputersystem.Domainrole = 1 Order By tblAssets.Domain, tblAssets.AssetName