Potential OWASSRF Exploitation Attempt - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
Sigma rule (View on GitHub)
1title: Potential OWASSRF Exploitation Attempt - Proxy
2id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797
3status: test
4description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
5references:
6 - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
7 - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/12/22
10tags:
11 - attack.initial_access
12 - attack.t1190
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'POST'
18 sc-status: 200
19 c-uri|contains|all:
20 - '/owa/'
21 - '/powershell'
22 c-uri|contains:
23 - '@'
24 - '%40'
25 filter_main_ua:
26 c-useragent:
27 - 'ClientInfo'
28 - 'Microsoft WinRM Client'
29 - 'Exchange BackEnd Probes'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Web vulnerability scanners
33level: high
References
-
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
Read More -
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”.
Read More
Related rules
- OWASSRF Exploitation Attempt Using Public POC - Proxy
- OWASSRF Exploitation Attempt Using Public POC - Webserver
- Potential OWASSRF Exploitation Attempt - Webserver
- Remote Access Tool - ScreenConnect Server Web Shell Execution
- Exchange Webshell creation