Successful Exchange ProxyShell Attack

 1title: Successful Exchange ProxyShell Attack
 2id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8
 3status: test
 4description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
 5references:
 6    - https://youtu.be/5mqid-7zp8k?t=2231
 7    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
 8    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
 9author: Florian Roth (Nextron Systems), Rich Warren
10date: 2021/08/09
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - detection.emerging_threats
15logsource:
16    category: webserver
17detection:
18    selection_auto:
19        cs-uri-query|contains: '/autodiscover.json'
20    selection_uri:
21        cs-uri-query|contains:
22            - '/powershell'
23            - '/mapi/nspi'
24            - '/EWS'
25            - 'X-Rps-CAT'
26    selection_success:
27        sc-status:
28            - 200
29            - 301
30    condition: selection_auto and selection_uri and selection_success
31falsepositives:
32    - Unknown
33level: critical

References

• YouTube

  

  Share your videos with friends, family, and the world

  
  Read More

• A New Attack Surface on MS Exchange Part 1 - ProxyLogon!

  

  This is 🍊 speaking

  
  Read More

• Reproducing The ProxyShell Pwn2Own Exploit

  

  INTRO

  
  Read More

Related rules

• CVE-2010-5278 Exploitation Attempt
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-0688 Exploitation Attempt
• CVE-2020-10148 SolarWinds Orion API Auth Bypass
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt