From 54432980922e47bedb8609de14bc37a7f14d599f Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sun, 8 Aug 2021 18:52:49 +0200
Subject: [PATCH] rule: ProxyShell improved

---
 rules/web/web_exchange_proxyshell.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml
index a838600a7..b23276d08 100644
--- a/rules/web/web_exchange_proxyshell.yml
+++ b/rules/web/web_exchange_proxyshell.yml
@@ -7,17 +7,20 @@ references:
     - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
     - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
 author: Florian Roth
-date: 2020/08/07
+date: 2021/08/07
+modified: 2021/08/08
 tags:
     - attack.initial_access
 logsource:
     category: webserver
 detection:
-    selection1:
-        c-uri|contains|all:
-            - '/autodiscover/autodiscover.json?'
+    selection_auto:
+        c-uri|contains: '/autodiscover/autodiscover.json?'
+    selection_uri:
+        c-uri|contains:
             - '/powershell'
-    selection2:
+            - '/mapi/nspi'
+    selection_poc:
         c-uri|contains: 
             # since we don't know how it will appear in the log files, we'll just use all versions
             - 'autodiscover.json?@'
@@ -25,7 +28,7 @@ detection:
             - '%3f@foo.com'
             - 'Email=autodiscover/autodiscover.json'
             - 'json?@foo.com'
-    condition: 1 of them
+    condition: selection_auto and selection_uri or selection_poc 
 falsepositives:
-    - Unknown
+    - Could only be an attempt and not a successful attack
 level: high
\ No newline at end of file