ProxyLogon MSExchange OabVirtualDirectory

Feb 1, 2023 · attack.t1587.001 attack.resource_development ·

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

Sigma rule (View on GitHub)

 1title: ProxyLogon MSExchange OabVirtualDirectory
 2id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
 3status: test
 4description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
 5references:
 6    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 7author: Florian Roth (Nextron Systems)
 8date: 2021/08/09
 9modified: 2023/01/23
10tags:
11    - attack.t1587.001
12    - attack.resource_development
13logsource:
14    product: windows
15    service: msexchange-management
16detection:
17    keywords_cmdlet:
18        '|all':
19            - 'OabVirtualDirectory'
20            - ' -ExternalUrl '
21    keywords_params:
22        - 'eval(request'
23        - 'http://f/<script'
24        - '"unsafe"};'
25        - 'function Page_Load()'
26    condition: keywords_cmdlet and keywords_params
27falsepositives:
28    - Unlikely
29level: critical

References

Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

By Anton Medvedev, Demyan Sokolin, Vadim Khrykov

Read More

ProxyLogon MSExchange OabVirtualDirectory

Sigma rule (View on GitHub)

References

Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

Related rules