Sneed-Reactivity/yara-Neo23x0/vuln_proxynotshell_cve_2022_41040.yar


rule LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22 {
   meta:
      description = "Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/testanull/ProxyNotShell-PoC"
      date = "2022-11-17"
      score = 70
      id = "1e47d124-3103-5bf5-946f-b1bb69ff2c8e"
   strings:
      $aa1 = " POST " ascii wide
      $aa2 = " GET " ascii wide

      $ab1 = " 200 " ascii wide

      $s01 = "/autodiscover.json x=a" ascii wide
      $s02 = "/autodiscover/admin@localhost/" ascii wide
   condition:
      1 of ($aa*) and $ab1 and 1 of ($s*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22 {`
			`meta:`
			`description = "Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://github.com/testanull/ProxyNotShell-PoC"`
			`date = "2022-11-17"`
			`score = 70`
			`id = "1e47d124-3103-5bf5-946f-b1bb69ff2c8e"`
			`strings:`
			`$aa1 = " POST " ascii wide`
			`$aa2 = " GET " ascii wide`

			`$ab1 = " 200 " ascii wide`

			`$s01 = "/autodiscover.json x=a" ascii wide`
			`$s02 = "/autodiscover/admin@localhost/" ascii wide`
			`condition:`
			`1 of ($aa) and $ab1 and 1 of ($s)`
			`}`