Nasreddine Bencherchali
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
title: Potential OWASSRF Exploitation Attempt - Proxy
|
|
id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797
|
|
status: experimental
|
|
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
|
|
references:
|
|
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
|
|
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/12/22
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
cs-method: 'POST'
|
|
sc-status: 200
|
|
c-uri|contains|all:
|
|
- '/owa/'
|
|
- '/powershell'
|
|
c-uri|contains:
|
|
- '@'
|
|
- '%40'
|
|
filter:
|
|
c-useragent:
|
|
- 'ClientInfo'
|
|
- 'Microsoft WinRM Client'
|
|
- 'Exchange BackEnd Probes'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Web vulnerability scanners
|
|
level: high
|