08e8d462fe
RED PILL 🔴 💊
20 lines
731 B
Text
20 lines
731 B
Text
|
|
rule LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22 {
|
|
meta:
|
|
description = "Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/testanull/ProxyNotShell-PoC"
|
|
date = "2022-11-17"
|
|
score = 70
|
|
id = "1e47d124-3103-5bf5-946f-b1bb69ff2c8e"
|
|
strings:
|
|
$aa1 = " POST " ascii wide
|
|
$aa2 = " GET " ascii wide
|
|
|
|
$ab1 = " 200 " ascii wide
|
|
|
|
$s01 = "/autodiscover.json x=a" ascii wide
|
|
$s02 = "/autodiscover/admin@localhost/" ascii wide
|
|
condition:
|
|
1 of ($aa*) and $ab1 and 1 of ($s*)
|
|
}
|