Potential OWASSRF Exploitation Attempt - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
Sigma rule (View on GitHub)
1title: Potential OWASSRF Exploitation Attempt - Webserver
2id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
3status: test
4description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
5references:
6 - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
7 - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/12/22
10modified: 2023/01/02
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-method: 'POST'
20 sc-status: 200
21 cs-uri-query|contains|all:
22 - '/owa/'
23 - '/powershell'
24 cs-uri-query|contains:
25 - '@'
26 - '%40'
27 filter_main_ua:
28 cs-user-agent:
29 - 'ClientInfo'
30 - 'Microsoft WinRM Client'
31 - 'Exchange BackEnd Probes'
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Web vulnerability scanners
35level: high
References
-
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
Read More -
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”.
Read More
Related rules
- OWASSRF Exploitation Attempt Using Public POC - Webserver
- Potential CVE-2021-27905 Exploitation Attempt
- Potential CVE-2022-21587 Exploitation Attempt
- Potential CVE-2023-23752 Exploitation Attempt
- Potential CVE-2022-26809 Exploitation Attempt