88 lines
3.9 KiB
Text
88 lines
3.9 KiB
Text
|
|
||
|
rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1 {
|
||
|
meta:
|
||
|
description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
|
||
|
date = "2022-12-22"
|
||
|
score = 70
|
||
|
id = "a61f6582-474f-5b6f-b8f5-329c0bcc4017"
|
||
|
strings:
|
||
|
$s1 = "/owa/mastermailbox%40outlook.com/powershell" ascii wide
|
||
|
|
||
|
$sa1 = " 200 " ascii wide
|
||
|
$sa2 = " POST " ascii wide
|
||
|
|
||
|
// based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
|
||
|
$fp1 = "ClientInfo" ascii wide fullword
|
||
|
$fp2 = "Microsoft WinRM Client" ascii wide fullword
|
||
|
$fp3 = "Exchange BackEnd Probes" ascii wide fullword
|
||
|
condition:
|
||
|
all of ($s*) and not 1 of ($fp*)
|
||
|
}
|
||
|
|
||
|
rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2 {
|
||
|
meta:
|
||
|
description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
|
||
|
date = "2022-12-22"
|
||
|
score = 60
|
||
|
id = "85722997-fd28-51cf-817e-7a314e284b0b"
|
||
|
strings:
|
||
|
$sr1 = / \/owa\/[^\/\s]{1,30}(%40|@)[^\/\s\.]{1,30}\.[^\/\s]{2,3}\/powershell / ascii wide
|
||
|
|
||
|
$sa1 = " 200 " ascii wide
|
||
|
$sa2 = " POST " ascii wide
|
||
|
|
||
|
// based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
|
||
|
$fp1 = "ClientInfo" ascii wide fullword
|
||
|
$fp2 = "Microsoft WinRM Client" ascii wide fullword
|
||
|
$fp3 = "Exchange BackEnd Probes" ascii wide fullword
|
||
|
condition:
|
||
|
all of ($s*)
|
||
|
and not 1 of ($fp*)
|
||
|
}
|
||
|
|
||
|
rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3 {
|
||
|
meta:
|
||
|
description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
|
||
|
date = "2022-12-22"
|
||
|
score = 60
|
||
|
id = "76dd786e-daaa-5cd9-8e3e-50d9eab7f9d2"
|
||
|
strings:
|
||
|
$sa1 = " POST /powershell - 444 " ascii wide
|
||
|
$sa2 = " POST /Powershell - 444 " ascii wide
|
||
|
$sb1 = " - 200 0 0 2" ascii wide
|
||
|
|
||
|
// based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
|
||
|
$fp1 = "ClientInfo" ascii wide fullword
|
||
|
$fp2 = "Microsoft WinRM Client" ascii wide fullword
|
||
|
$fp3 = "Exchange BackEnd Probes" ascii wide fullword
|
||
|
condition:
|
||
|
1 of ($sa*) and $sb1 and not 1 of ($fp*)
|
||
|
}
|
||
|
|
||
|
rule EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1 {
|
||
|
meta:
|
||
|
description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
|
||
|
date = "2022-12-22"
|
||
|
modified = "2023-01-26"
|
||
|
score = 70
|
||
|
id = "5af3ae70-8897-593f-a413-82ca1d1ba961"
|
||
|
strings:
|
||
|
$re1 = /,\/[Pp][Oo][Ww][Ee][Rr][Ss][Hh][Ee][Ll][Ll][^\n]{0,50},Kerberos,true,[^\n]{0,50},200,0,,,,[^\n]{0,2000};OnEndRequest\.End\.ContentType=application\/soap\+xml charset UTF-8;S:ServiceCommonMetadata\.HttpMethod=POST;/ ascii wide
|
||
|
|
||
|
// based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
|
||
|
$fp1 = "ClientInfo" ascii wide fullword
|
||
|
$fp2 = "Microsoft WinRM Client" ascii wide fullword
|
||
|
$fp3 = "Exchange BackEnd Probes" ascii wide fullword
|
||
|
condition:
|
||
|
$re1 and not 1 of ($fp*)
|
||
|
}
|
||
|
|