Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
Sigma rule (View on GitHub)
1title: Successful Exchange ProxyShell Attack
2id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8
3status: test
4description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
5references:
6 - https://youtu.be/5mqid-7zp8k?t=2231
7 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
8 - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
9author: Florian Roth (Nextron Systems), Rich Warren
10date: 2021-08-09
11modified: 2023-01-02
12tags:
13 - attack.initial-access
14 - detection.emerging-threats
15logsource:
16 category: webserver
17detection:
18 selection_auto:
19 cs-uri-query|contains: '/autodiscover.json'
20 selection_uri:
21 cs-uri-query|contains:
22 - '/powershell'
23 - '/mapi/nspi'
24 - '/EWS'
25 - 'X-Rps-CAT'
26 selection_success:
27 sc-status:
28 - 200
29 - 301
30 condition: selection_auto and selection_uri and selection_success
31falsepositives:
32 - Unknown
33level: critical
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt