Sneed-Reactivity/yara-Neo23x0/expl_cve_2022_41040_proxynoshell.yar

27 lines
1 KiB
Text
Raw Normal View History

rule EXPL_Exchange_ProxyNotShell_Patterns_CVE_2022_41040_Oct22_1 : SCRIPT {
meta:
description = "Detects successful ProxyNotShell exploitation attempts in log files (attempt to identify the attack before the official release of detailed information)"
author = "Florian Roth (Nextron Systems)"
score = 75
old_rule_name = "EXPL_Exchange_ProxyNoShell_Patterns_CVE_2022_41040_Oct22_1"
reference = "https://github.com/kljunowsky/CVE-2022-41040-POC"
date = "2022-10-11"
modified = "2023-03-15"
id = "d2812fcd-0a20-5bbd-a9e1-9cca1ed58aa3"
strings:
$sr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}owershell/ nocase ascii
$sa1 = " 200 "
$fp1 = " 444 "
$fp2 = " 404 "
$fp2b = " 401 " /* Unauthorized */
$fp3 = "GET /owa/ &Email=autodiscover/autodiscover.json%3F@test.com&ClientId=" ascii /* Nessus */
$fp4 = "@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com" ascii /* Nessus */
condition:
$sr1
and 1 of ($sa*)
and not 1 of ($fp*)
}