OWASSRF Exploitation Attempt Using Public POC - Proxy

calendar Nov 2, 2023 · attack.initial_access attack.t1190  ·
Share on: linkedin copy

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Sigma rule (View on GitHub)

 1title: OWASSRF Exploitation Attempt Using Public POC - Proxy
 2id: fdd7e904-7304-4616-a46a-e32f917c4be4
 3status: test
 4description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 5references:
 6    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
 7    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
 8    - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/12/22
11tags:
12    - attack.initial_access
13    - attack.t1190
14logsource:
15    category: proxy
16detection:
17    selection:
18        # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
19        c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
20        cs-method: 'POST'
21        sc-status: 200
22        c-uri|contains|all:
23            - '/owa/mastermailbox'
24            - '/powershell'
25    condition: selection
26falsepositives:
27    - Unlikely
28level: critical

References

Related rules

to-top