Continuing with the Incident Responder Path, we tackle a Windows 10 system that apparently extracted a RAR file and ran the Word document that was inside. Was it simply an Office Document or a Malicious Document?

⭐ Microsoft: Unpatched Office Zero-day Exploited in NATO Summit Attacks
EventID: 168
Event Time: Jul, 18, 2023, 01:07 PM
Rule: SOC215 - Possible Zero Day Exploit Detected(CVE-2023-36884)
Level: Incident Responder
Hostname: Anthony
IP Address: 172.16.17.157
Affected User: Anthony
Alert Trigger Reason: Potential Office and Windows HTML Remote Code Execution Vulnerability Detected(CVE-2023-36884)
File Path: C:\Users\LetsDefend\Downloads\Overview_of_UWCs_UkraineInNATO_campaign.docx
Hash: A61B2EAFCF39715031357DF6B01E85E0D1EA2E8EE1DFEC241B114E18F7A1163F
L1 Note: When I examined the alert, it was detected that minutes before the alert, the user received an email with the attachment "Overview_of_UWCs_UkraineInNATO_campaign.rar". However, I could not determine whether Anthony opened the file.

RAR File:
[ Ссылка ]

Word Doc:
[ Ссылка ]
[ Ссылка ]


NOTES:
[ Ссылка ]
[ Ссылка ]

свернуть