security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

29 lines
1.2 KiB
YAML
Raw Blame History

title: OWASSRF Exploitation Attempt Using Public POC - Proxy
id: fdd7e904-7304-4616-a46a-e32f917c4be4
status: experimental
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/22
tags:
- attack.initial_access
- attack.t1190
logsource:
category: proxy
detection:
selection:
# Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
cs-method: 'POST'
sc-status: 200
c-uri|contains|all:
- '/owa/mastermailbox'
- '/powershell'
condition: selection
falsepositives:
- Unlikely
level: critical
Reference in New Issue View Git Blame Copy Permalink