mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
24 lines
842 B
YAML
24 lines
842 B
YAML
title: ProxyLogon MSExchange OabVirtualDirectory
|
|
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
|
|
status: experimental
|
|
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invokation of Set-OabVirtualDirectory
|
|
references:
|
|
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
|
|
author: Florian Roth
|
|
date: 2021/08/09
|
|
logsource:
|
|
product: windows
|
|
service: msexchange-management
|
|
detection:
|
|
selection_cmdlet:
|
|
- 'OabVirtualDirectory'
|
|
- ' -ExternalUrl '
|
|
selection_params:
|
|
- 'eval(request'
|
|
- 'http://f/<script'
|
|
- '"unsafe"};'
|
|
- 'function Page_Load()'
|
|
condition: all of selection_cmdlet and selection_params
|
|
falsepositives:
|
|
- Unlikely
|
|
level: critical |