//CVE-2023-4863 Process activity with .webp files on devices where CVE-2023-4863 is unpatched
//This query shows all process activity with .webp files on vulnerable machines and is not an indicator of malicious activity
let VulnDevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2023-4863"
| distinct DeviceId;
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where DeviceId in (VulnDevices) and (InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp"))
| extend Name = tostring(split(AccountUpn, "@")[0]), UPNSuffix = tostring(split(AccountUpn, "@")[1])
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
query: |-
//CVE-2023-4863 Process activity with .webp files on devices where CVE-2023-4863 is unpatched
//This query shows all process activity with .webp files on vulnerable machines and is not an indicator of malicious activity
let VulnDevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2023-4863"
| distinct DeviceId;
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where DeviceId in (VulnDevices) and (InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp"))
| extend Name = tostring(split(AccountUpn, "@")[0]), UPNSuffix = tostring(split(AccountUpn, "@")[1])
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
tags:
- CVE-2023-4863
suppressionEnabled: false
description: |
'This query looks at device, process, and network events from Defender for Endpoint that may be vulnerable to buffer overflow defined in CVE-2023-4863. Results are not an indicator of malicious activity.'
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
- entityType: Account
fieldMappings:
- columnName: AccountUpn
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: IP
fieldMappings:
- columnName: LocalIP
identifier: Address
- entityType: Process
fieldMappings:
- columnName: ProcessId
identifier: ProcessId
- entityType: Process
fieldMappings:
- columnName: InitiatingProcessId
identifier: ProcessId
- entityType: Process
fieldMappings:
- columnName: ProcessCommandLine
identifier: CommandLine
suppressionDuration: PT5H
name: Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
status: Available
id: 26e81021-2de6-4442-a74a-a77885e96911
tactics:
- Execution
alertDetailsOverride:
alertDisplayNameFormat: Possible exploitation of CVE-2023-4863
alertDynamicProperties: []
eventGroupingSettings:
aggregationKind: SingleAlert
kind: Scheduled
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
- DeviceEvents
- DeviceTvmSoftwareVulnerabilities
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml
incidentConfiguration:
createIncident: false
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
groupByEntities:
- Account
groupByAlertDetails: []
matchingMethod: Selected
reopenClosedIncident: false
groupByCustomDetails: []
version: 1.1.2
severity: Informational
relevantTechniques:
- T1203
