Potential OWASSRF Exploitation Attempt - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
Sigma rule (View on GitHub)
1title: Potential OWASSRF Exploitation Attempt - Proxy
2id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797
3status: test
4description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
5references:
6 - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
7 - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-12-22
10tags:
11 - attack.initial-access
12 - attack.t1190
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'POST'
18 sc-status: 200
19 c-uri|contains|all:
20 - '/owa/'
21 - '/powershell'
22 c-uri|contains:
23 - '@'
24 - '%40'
25 filter_main_ua:
26 c-useragent:
27 - 'ClientInfo'
28 - 'Microsoft WinRM Client'
29 - 'Exchange BackEnd Probes'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Web vulnerability scanners
33level: high
References
-
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
Read More -
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”.
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations