Sneed-Reactivity/yara-Neo23x0/vuln_proxynotshell_cve_2022_41040.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

20 lines
731 B
Text

rule LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22 {
meta:
description = "Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/testanull/ProxyNotShell-PoC"
date = "2022-11-17"
score = 70
id = "1e47d124-3103-5bf5-946f-b1bb69ff2c8e"
strings:
$aa1 = " POST " ascii wide
$aa2 = " GET " ascii wide
$ab1 = " 200 " ascii wide
$s01 = "/autodiscover.json x=a" ascii wide
$s02 = "/autodiscover/admin@localhost/" ascii wide
condition:
1 of ($aa*) and $ab1 and 1 of ($s*)
}