My assumption is that the ClamAV default (community signature) database does not contain a detection for CVE-2023-23397. However, the database file is a binary format. I tried searching around and have not found an easy place to list the current contents of the database. Two questions:
1) Where can I find the list of granular detection signatures in the ClamAV DB?
2) What is the best way for added a custom signature to the database without it being nuked by an update?
From the information about this vulnerability, it appears straightforward to write a detection signature that matches "PidLidReminderFileParameter" and "PidLidReminderOverride".
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
https://nvd.nist.gov/vuln/detail/CVE-2023-23397
"Microsoft Office Outlook Privilege Escalation Vulnerability"
"""
Threat actors are exploiting this vulnerability by sending a malicious email—which, again, does not need to be opened. From here, attackers capture Net-NTLMv2 hashes, which enable authentication in Windows environments. This allows threat actors to potentially authenticate themselves as the victims, escalate privileges, or further compromise the environment.
"""
https://www.huntress.com/blog/everything-we-know-about-cve-2023-23397
1) Where can I find the list of granular detection signatures in the ClamAV DB?
2) What is the best way for added a custom signature to the database without it being nuked by an update?
From the information about this vulnerability, it appears straightforward to write a detection signature that matches "PidLidReminderFileParameter" and "PidLidReminderOverride".
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
https://nvd.nist.gov/vuln/detail/CVE-2023-23397
"Microsoft Office Outlook Privilege Escalation Vulnerability"
"""
Threat actors are exploiting this vulnerability by sending a malicious email—which, again, does not need to be opened. From here, attackers capture Net-NTLMv2 hashes, which enable authentication in Windows environments. This allows threat actors to potentially authenticate themselves as the victims, escalate privileges, or further compromise the environment.
"""
https://www.huntress.com/blog/everything-we-know-about-cve-2023-23397