Merge pull request #1803 from SigmaHQ/rule-devel

rule: ProxyShell improved

rules/web/web_exchange_proxyshell.yml

@@ -7,17 +7,20 @@ references:
     - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
     - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
 author: Florian Roth
-date: 2020/08/07
+date: 2021/08/07
+modified: 2021/08/08
 tags:
     - attack.initial_access
 logsource:
     category: webserver
 detection:
-    selection1:
-        c-uri|contains|all:
-            - '/autodiscover/autodiscover.json?'
+    selection_auto:
+        c-uri|contains: '/autodiscover/autodiscover.json?'
+    selection_uri:
+        c-uri|contains:
             - '/powershell'
-    selection2:
+            - '/mapi/nspi'
+    selection_poc:
         c-uri|contains: 
             # since we don't know how it will appear in the log files, we'll just use all versions
             - 'autodiscover.json?@'
@@ -25,7 +28,7 @@ detection:
             - '%3f@foo.com'
             - 'Email=autodiscover/autodiscover.json'
             - 'json?@foo.com'
-    condition: 1 of them
+    condition: selection_auto and selection_uri or selection_poc 
 falsepositives:
-    - Unknown
+    - Could only be an attempt and not a successful attack
 level: high