Recently I had a customer ask about an Advanced Hunting Query that could detect the Microsoft Screen Clipping vulnerability CVE-2023-28303. Some initial testing of the Threat and Vulnerability Management in Advanced Hunting tables this software is not being captured on my test machines. However, there are still some ways we can detect the potential of this vulnerability.
Advanced Hunting Query
Since I could not find the application listed in my TVM tables the next approach I took was to see if I can find the application when it is used. What I found is there are two screen clipping executables that work together: ScreenClippingHost.exe and ScreenSketch.exe. The ScreenClippingHost.exe is what is triggered when a user uses the Win+Shift+S key combination so they can select the portion of the screen to clip. After performing this snip and clicking on the toast notification the next process ScreenSketch.exe is initiated and it is in this process where the image can be modified and I believe where the primary issues of the CVE is reported, also if you read MS’s documentation the version numbers align on this application vs. the ScreenClippingHost.exe version.
DeviceProcessEvents
| where FileName contains "screen" and FileName != "smartscreen.exe"
| extend Version = split(FolderPath, '_', 1)
| extend Version = iif(ProcessVersionInfoProductVersion != "", ProcessVersionInfoProductVersion, Version[0])
| project Timestamp, DeviceName, Version, FileName, FolderPath, ProcessVersionInfoProductVersion
The second finding was that the ScreenSketch.exe file does not report ProessVersionInfoProductVersion information. Instead the product version is part of the FolderPath so the version needed to be extracted. To support and make this cleaner I created the Version column to provide a Unified version result.
Extending the Query to a Custom Alert
The next step can be to take the above query and convert it into a Custom Detection. For this we can limit the Filename to ScreenSketch.exe and we should look for versions that are not 11.2302.20.0 for Windows 11 or 10.2008.3001.0 for Windows 10.
DeviceProcessEvents
| where FileName == "ScreenSketch.exe"
| extend Version = split(FolderPath, '_', 1)
| extend Version = trim(" ", iif(ProcessVersionInfoProductVersion != "", ProcessVersionInfoProductVersion, Version[0]))
| extend version = split(Version, ".")
| extend vulnerable = iif(version[0] == 10, iif(version[1] < 2008, "yes", iif(version[1] == 2008, iif(version[2] < 3001, "yes", "no"), "no")),
iif(version[0] == 11, iif(version[1] < 2302, "yes", iif(version[1] == 2302, iif(version[2] < 20, "yes", "no"),"no")),"no"))
| project Timestamp, DeviceName, Version, vulnerable, FileName, FolderPath, ProcessVersionInfoProductVersion, DeviceId, ReportId
To support the custom alert the above query limites the detection to the ScreenSketch.exe file, looks for versions that do not match the recently updated ScreenSketch, and included the required fields (DeviceId, ReportId, Timestamp) required to create a customer detection.