Potential OWASSRF Exploitation Attempt - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
Sigma rule (View on GitHub)
1title: Potential OWASSRF Exploitation Attempt - Webserver
2id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
3status: test
4description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
5references:
6 - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
7 - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-12-22
10modified: 2023-01-02
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - detection.emerging-threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-method: 'POST'
20 sc-status: 200
21 cs-uri-query|contains|all:
22 - '/owa/'
23 - '/powershell'
24 cs-uri-query|contains:
25 - '@'
26 - '%40'
27 filter_main_ua:
28 cs-user-agent:
29 - 'ClientInfo'
30 - 'Microsoft WinRM Client'
31 - 'Exchange BackEnd Probes'
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Web vulnerability scanners
35level: high
References
-
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
Read More -
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”.
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt