Sneed-Reactivity/yara-Neo23x0/exploit_cve_2021_33766_proxytoken.yar

23 lines
724 B
Text
Raw Normal View History

rule LOG_EXPL_ProxyToken_Exploitation_Aug21_1 {
meta:
description = "Detects ProxyToken CVE-2021-33766 exploitation attempts on an unpatched system"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server"
date = "2021-08-30"
score = 75
id = "f4840140-6d31-52f9-b1a0-2acdd4b955cd"
strings:
$ss0 = "POST " ascii
$ss1 = " 500 0 0"
$sa1 = "/ecp/" ascii
$sa2 = "/RulesEditor/InboxRules.svc/NewObject" ascii
$sb1 = "/ecp/" ascii
$sb2 = "SecurityToken=" ascii
condition:
all of ($ss*) and ( all of ($sa*) or all of ($sb*) )
}