valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
dc8ad15d1a
SigmaHQ/rules/web/web_exchange_proxyshell_successful.yml
Florian Roth a9ad4eda4a
rules: ProxyShell refactoring and new rule
2021-08-09 17:57:34 +02:00

31 lines
1017 B
YAML
Raw Blame History

title: Successful Exchange ProxyShell Attack
id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8
status: experimental
description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
references:
- https://youtu.be/5mqid-7zp8k?t=2231
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth, Rich Warren
date: 2021/08/09
tags:
- attack.initial_access
logsource:
category: webserver
detection:
selection_auto:
c-uri|contains: '/autodiscover.json'
selection_uri:
c-uri|contains:
- '/powershell'
- '/mapi/nspi'
- '/EWS'
- 'X-Rps-CAT'
selection_success:
sc-status:
- 200
- 301
condition: selection_auto and selection_uri and selection_success
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink