Detect CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation in Splunk
Detects exploitation attempts of CVE-2023-36424, a Microsoft Windows out-of-bounds read vulnerability (CWE-125) listed in CISA's Known Exploited Vulnerabilities catalog. Out-of-bounds read vulnerabilities in Windows kernel or system components can be leveraged for privilege escalation, information disclosure, or as a stepping stone in exploit chains. This detection monitors for anomalous process behavior, crash artifacts, and privilege escalation patterns consistent with exploitation of this class of vulnerability.
MITRE ATT&CK
SPL Detection Query
index=wineventlog OR index=sysmon sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval event_time=_time
| where earliest=-24h
| eval is_crash_event=if(EventCode=="1000" OR EventCode=="1001" OR (EventCode=="4688" AND like(NewProcessName, "%werfault%")), 1, 0)
| eval is_privesc=if(EventCode=="4672" AND NOT like(SubjectUserName, "%$"), 1, 0)
| eval is_memory_violation=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode="11" AND (like(TargetFilename, "%Watson%") OR like(TargetFilename, "%CrashDumps%")), 1, 0)
| eval risk_score=is_crash_event + is_privesc + is_memory_violation
| where risk_score >= 1
| stats count as event_count, sum(is_crash_event) as crash_events, sum(is_privesc) as privesc_events, sum(is_memory_violation) as memory_events, values(host) as hosts, values(SubjectUserName) as users by ComputerName
| where event_count > 0
| eval cve="CVE-2023-36424"
| table _time, ComputerName, hosts, users, event_count, crash_events, privesc_events, memory_events, cveSplunk correlation search detecting CVE-2023-36424 exploitation indicators across Windows Security event logs and Sysmon. Scores events based on crash artifacts, privilege escalation, and memory violation indicators.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate software crashes on hosts running unstable or beta software builds
- System administrators performing privilege-sensitive operations that generate 4672 events
- Crash dump collection by monitoring tools creating files in CrashDumps directories
- Windows Error Reporting collecting telemetry from non-malicious application faults
Other platforms for CVE-2023-36424
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Out-of-Bounds Read Crash via Malformed Input
Expected signal: Windows Event ID 1000 (Application Error) and 1001 (WER) in Application log; WerFault.exe process launch visible in Sysmon Event ID 1; crash dump file created in %LOCALAPPDATA%\CrashDumps
- Test 2Privilege Escalation Simulation Following Crash Artifact
Expected signal: Windows Event ID 4672 (Special Privileges Assigned) in Security log; Process creation events in Sysmon for cmd.exe and powershell.exe; elevated process token in DeviceProcessEvents
- Test 3Memory Dump Creation Mimicking Exploit Artifact
Expected signal: Sysmon Event ID 11 (FileCreate) for .dmp file in CrashDumps directory; DeviceFileEvents entry for the dump file creation; rundll32.exe process creation with comsvcs.dll MiniDump arguments in process telemetry
- Test 4WerFault.exe Manual Invocation Simulation
Expected signal: Sysmon Event ID 1 showing WerFault.exe launched by PowerShell (non-standard parent); DeviceProcessEvents with FileName=werfault.exe and InitiatingProcessFileName=powershell.exe; potential Event ID 1001 in Application log
Unlock Pro Content
Get the full detection package for CVE-2023-36424 including response playbook, investigation guide, and atomic red team tests.