valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: add 500 status code in selection2

Browse Source 
to avoid FPs with exploitation attempts
This commit is contained in:
Florian Roth 2021-08-30 16:12:42 +02:00
parent 4a4966af77
commit af9392ba0f
No known key found for this signature in database
GPG Key ID: 5C328E4878049D7A
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/web/web_cve_2021_33766_msexchange_proxytoken.yml
View File

@ -2,7 +2,7 @@ title: CVE-2021-33766 Exchange ProxyToken Exploitation
id: 56973b50-3382-4b56-bdf5-f51a3183797a
status: experimental
description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
author: Florian Roth
author: Florian Roth, Max Altgelt, Christian Burkard
date: 2021/08/30
references:
- https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
@ -22,6 +22,7 @@ detection:
c-uri|contains|all:
- 'SecurityToken='
- '/ecp/'
sc-status: 500
condition: selection1 or selection2
fields:
- c-ip